If I was an employer and I saw a job applicant tweet something like that, their resume would immediately go in the shredder.

Think about it from the employer's point of view: "What happens if this guy is disgruntled with us for some reason? Is he going to joke about something that'll embarrass us? Maybe he'll turn our website into an archive of obscene furry porn?" Given you're tweeting things like that, why would I hire you?

(and yes, I know that that tweet's referring to the previous "HEAD /passwords.txt" tweet, but it's incredibly easy to take things out of context on the internets)

https://scott.arciszewski.me/blog/2014/03/black-and-white-26...

The total "intrusion" lasted only 23 minutes, according to court documents.

I'd be concerned if someone intruded into my computer for 23 seconds. Attempting to minimize what you're accused of with statements like this will likely turn people against you.

As usual, the game was rigged, and I lost

Sometimes introspection allows us to see that we legitimately lose; that things aren't always rigged against us. It also lets us see that our attitude can be our own worst enemy.

My last semester was erased (which screwed up my taxes for the next year and is probably illegal)

"Woe is me" doesn't play well when you are experiencing the negative consequences of having committed an alleged crime. Also don't accuse others of illegal activities unless you can prove them; it destroys your credibility.

For the digital equivalent of knocking on someone's front door, it swinging ajar, looking in, seeing nobody home, going on my way, and then being put on house arrest

Again, you're minimizing what you did. A more apt analogy based on your own description of what you did would be coming up to a locked door, seeing it is Brand X locks, purposely seeking out an exploit on how to pick Brand X locks, spending time picking the lock and then broadcasting to the world what you did.

I could go on, but the summary is that being a humble and contrite person will often allow a guilty person to go off scot-free. When I was arrested for hacking, that's what happened to me and I was literally let go with no record. On the flip side, rightly or wrongly coming across with a negative attitude can help an innocent person go to jail. Fair or not, that's the world we live in.

Which, you can believe that or not, but in terms of mitigating risks perceived by employers, not creating that impression should be your #1 priority.

The opportunity is gone now, but I really wish he'd fought this case and gotten it in front of a jury. It's very technical testimony and I think a jury could really question the damage amount. If it were below $5,000 this law doesn't apply. How much did it really cost? They had to delete 3 files and apply patches that they should have applied all along.

It's also just weird how punishment scales work. I used to go to my probation officer's office and see all the other guys he was monitoring. Most were serious drug dealers or weapons violations. It seemed so out of whack. But then when I'd go do community service I'd see people sentenced to 20 hours of community service, hundreds of dollars in fines, and weeks in jail for crap like shoplifting a 99 cent air freshener or a pack of cigarettes.

I'm not entirely sure what the punishment Scott received actually was, but he served no time, so it sounds like his sentencing level was below the noise floor.

Unless it's changed, I think under the normal federal sentencing guidelines, that amount of "damage" doesn't even qualify for any prison time at all, but the specific offense overrides that to impose a minimum of six months. That's because of a little outcry in the 1990s over hackers not serving any time and the (maybe valid) perception that they actually benefited from the notoriety of a conviction.

To be pedantic, the door WAS unlocked. You did not even need a user account to upload files. In hindsight, I probably could have argued that "authorized access" was never exceeded because the form I used was publicly accessible as part of a DotNetNuke design flaw, but I didn't want to drag to court battle out any longer. I was in the wrong, even if I wasn't the only one.

You are not a spectator for your own life. You aren't limited to expressing opinions about it. You are free to act that way. You can try to play a victim card that only a tiny fraction of people will even understand, let alone sympathize with. You can choose to make your life about this event.

Or you can make your life about something else, and put this behind you.

I'd just worry that you probably can't do both of those things.

If you're going to do the latter, my advice is this: any time you talk about what happened with you and that stupid website, have a clear goal behind whatever it is you're saying. Make sure that goal squares up with your overall goal of getting this in the past. The Internet really, really, really, really wants you to pick it apart and debate it. That creates drama, and drama is fun. Personally, I think you've donated enough drama to the Internet, and you don't owe anyone any more of it.

OP: Eventually the narrative will shift to "I was young and stupid, and it was a long time ago," which is exactly what you want. By continuing to defend what you did, you're actively delaying the time until you can begin using that line. Frankly, whether you believe you're right or not is beside the point; no hiring manager is going to care, and your current attitude towards it presents as toxic.

Speaking of which, if a recruiter is unwilling to work with you, stop talking to them. Recruiters are dime a dozen. When one drops out, ten pop up. There is no need to deal with the bad ones (almost all of them). I've noticed this in the Bay Area, Austin, Portland, and Seattle. I'm sure it's no different in Orlando. Basically, don't tell them about your past. They don't need to know anyway. Just ask about the hiring process and decline if it includes a background check. There's no need to be honest with recruiters. Seriously, if I had to guess, I'd say there are at least ten recruiters for every engineer, designer, etc.

Now, if you need help getting in touch with more recruiters that's very simple. Use dice, linkedin, stackoverflow careers, or whatever. Just post your resume up and make sure your availability date is in the near future. You may want to use a separate email (and maybe even phone number) just for this as it's guaranteed to get recruiter's attention and offers (oftentimes referred to as recruiter spam).

I've found a lot of smaller companies (5-40 people) have owners who are careful to not hire people with criminal backgrounds. I'm assuming they don't want someone who's potentially a danger to other employees or customers, or capable of committing theft on their premises.

I'm not sure there's any need for that, especially since everyone will have some kind of background check. Just don't tell them about the conviction up-front. Don't lie about it either, when you get to the background check part, but in my experience that is usually fairly late in the game. But don't volunteer it.

Note: I don't have any convictions, so no direct experience. Just been a contractor for most of my career.

First of all, you need to shift your story. You make it sound like you were persecuted for white hat actions. You weren't. You made a mistake, you learned a lot from it, you've changed, and nothing like that will ever happen again. That's your story. Write a letter of explanation and get some friends to review it. You should include the fact that you were never in prison and if you're able to pay restitution, make sure to explain that. Keep that letter handy and include it whenever you apply.

As for jobs, I've been able to stay employed by networking through friends. I doubt you'll be able to find and hold any IT job found through recruiters or job postings. Network like crazy. Get to as many Meetups as you can, visit hackerspaces (like FamiLAB), go to CodeCamp, BarCamp, startup events, etc. and volunteer to help with lots of things. Become that super-helpful guy that will do anything to make stuff work.

Anyone that hires or contracts you needs to know up front that they're going to have to deal with your probation officer. Mine actually visited my office and talked to my boss in person. It is possible to somewhat shield yourself with layers. Like if you have a friend running a consulting company, become a contractor or employee of his and he knows about your conviction and assumes the risk, but if he doesn't inform end customers, your probation office may be fine with that.

You can also go indie and build stuff. Apps, Wordpress themes, anything that can go on Kickstarter, ebooks, affiliate marketing websites, etc. All that direct-to-consumer stuff was great for survival-level income while I was recovering.

Check my comment history for other advice on this topic. I only use this account for posts like this.

I've also been amazed at the jobs I've held and the work I was trusted with after my conviction. I've rolled out software at Fortune 500s and sensitive government agencies and survived a lot of corporate restructuring and mergers.

To make matters more complicated, FamiLab's office is like 2 hours away by bicycle and, ironically, 3 by Lynx bus. (I do not have access to a car.)

I hope your PO doesn't make you go to his office every month. I only had to do that a couple of times. But he had a knack for showing up at my house right when I got in the shower. You just have to suck it up, be humble, and do your best to show them that you just want to get through it without extra hassles.

http://calacanis.com/2009/03/05/why-i-employed-a-felon/

-----

Excerpt:

> However, Mark screwed up by not doing a simple Google search on John’s name. If Mark had, he would have easily found out about these crimes, we would never have hired John, and I would not be writing this letter. Why would we even take the risk of hiring a felon hacker? No one would, right?

Months after John’s hiring, our VP of Operations found out about the crimes John had committed. We sat down with John and learned about what he did when he was younger, how he was abused as a child, his anger issues, and how he found some level of peace in being part of the team at Mahalo.

Now I was left with the decision to fire John on the spot and cut my losses and responsibility. This was the easy choice, obviously. If I really wanted to cover my butt, I could turn on one of my best friends, Mark Jeffrey, and fire him for making the only mistake he’s ever made working for me. The other option was to keep John on and deal with the potential firestorm of criticism that we’re now facing.

I chose to put my job and reputation on the line and keep John employed.

At this moment, I’m honestly glad we didn’t know about what John did when we hired him and I’m happy we’ve kept him on board. It’s taught me a lot about society, computer crime and rehabilitation. In John, I see almost every computer programmer from my time “hacking” on BBSes as a kid, attending hacker conferences and hiring “white hat” hackers for a living.

Almost all talented developers push the envelope when they’re young. Anyone in technology knows this dark, dirty little secret

------

Scott Arciszewski's story is very sympathetic. He crossed an invisible (and very poorly understood) line in poking at websites for security flaws. He made a mistake that's very easy to understand, and, while I don't share his politics, it's straightforward to see how someone could get caught up in the moment --- in this case the original Assange drama --- and find themselves in a perfect storm of legal drama. Scott barely "pushed the envelope" at all, and appears to have just been very unlucky.

Calacanis' employee is much less sympathetic. He was convicted of running a botnet and, IIRC, using it to steal money from victims. That employee was put into a role where he was given access to the authentication information of thousands of users. Calacanis' employee didn't "push the envelope". He tore it open, took the money from inside it, and passed some of it out to his friends.

Be careful about false equivalences. The comparison you're making here is very unfair to Arciszewski.

"I live in Orlando, FL, and I never have the opportunity to speak with a company directly". I don't think you're trying hard enough. This kind of 'all or nothing' thinking doesn't help you.

Get involved with other developers in the community. Go to some toastmasters meetings to polish your face-to-face social skills. Don't mention your felony unless you're asked about it. Remove it from your resume if you've put it there. If and when you are asked about it, clearly explain that it was you trying to act in good faith to protect the interests of the Tampa Bay website.

Thanks for the suggestions.

Its hard to explain it if you are only given an 'X' to answer it.

You might want to start by adjusting your perspective. A quick Google search suggests you found the exploit and notified @lulzsec (a hacker group). Whether or not that is "true" makes no difference, as it is the "Google" truth.

Saying, "I was young, dumb, wanted attention, and made a huge mistake" is much better than "they didn't quite appreciate that".

I think your felony conviction isn't your worst problem. Your worst problem is that you're trying to get jobs in Orlando and using recruiters to do it. Both of these are bad strategies. Working with recruiters is the bigger mistake.

It is almost certainly not true that recruiters maintain an "oligarchy" over tech jobs in Orlando. All things being equal, hiring managers would rather not rely on recruiters to fill positions, because recruiters are very expensive. It may be the case that it's hard to get a job from online job ads in Orlando without working with recruiters, but job ads are not the best way to find jobs anyways.

Here are some thoughts (grain of salt; I'm not you, and you know more about your situation than I do):

1. You're in the hottest market for tech talent that I've seen in my whole career. That could change tomorrow, and eventually, after some number of "tomorrows", will change. When that happens, your criminal record could suddenly become a much bigger problem than it is now. So I'd move quickly to find a full-time role and to start establishing a career track record. The longer you maintain full-time employment with established firms, the less relevant your background becomes.

2. I urge you to cast a wider net than Orlando. You don't necessarily have to move to get a job that isn't based out of central Florida. But you're also quite young; if you don't have a very good reason to stay there, consider finding a job in a larger metro area --- Austin, Atlanta, DC --- and moving for awhile. I left Chicago for SF early in my career and eventually moved back, and while I don't love SF, I'm glad for the experience of trying it out.

3. Stop working through recruiters. Recruiters are bad news for developers even without a criminal record. But when you understand how most recruiters work, transactionally, like real estate agents, you can see that any potential obstacle to placing you is going to make you disproportionately less lucrative in their business model.

4. I think you'll find that most software companies aren't particularly rigorous with background checks. If you're not trying to land a role where a CFAA conviction is relevant, I don't think you're obligated to bring your background up.

5. The best way to find a company that hires directly is to simply assume that they will all hire directly, if you find the right person to talk to. Two things you can do right away: first, make a list of tech companies in your region and start finding people you can grab coffee with, and second, start showing up at meetups and asking people about their jobs, what they're working on, and what they like about the jobs. One thing you're going to find out quickly is that employees in tech shops are usually incentivized to help recruit people. By talking to them about working at their company, you're often doing them a favor, by setting them up to collect 4-5 figure bonuses.

So: Act as if your conviction is not a problem. Start looking outside Orlando, which might be problematic even for developers without criminal records. Stop trying to work through recruiters. Assume every company hires directly. Make a list of companies you might want to work for in your area and start finding people who work there to talk to. Show up at meetups and make conversation with people about their jobs, and see where things go from there.

There are going to be jobs where a criminal conviction is a roadblock (unfortunately, many jobs in my field are like that; consulting clients, for instance, all tend to background check consultants; another place you'll have trouble is finance). But my guess is that the majority of dev jobs are not like that.

I had to quote this one for emphasis because a lot of engineers actively disbelieve it, to their detriment. Ditto "All tech companies are actively hiring engineers all the time. You will never waste appreciable amounts of their time getting in touch with a hiring manager and offering to chat about the possibility of working together."

Incidentally: a company's best performing employees very rarely come from their outsourced recruiting pipeline. If you come from outside their recruiting pipeline, their prior expectation of how good a candidate you are may be higher just as a result of that fact.

This may be beyond obvious, but it can help to network by going to technical meetups[1], conferences and the like. You may not meet hiring managers, but you'll meet your peers who may know of open jobs at their companies and can help you get interviews.

[1] I don't know how things are in Orlando, but every week lately I've been getting emails from Meetup.com about yet another new technical meetup group that is starting up in my general area. One would hope that you can find some that would be relevant to you.

Now I treat it as a job-lead generator.

0. Choose three things in Dev you are good at and make them your calling card. Loved automating sysadmin - puppet, ansible and salt should be all over your blog.

1. LinkedIn is great, take sometime this evening to update your profile, focusing on the three calling cards. Everyone you take for coffee will look you up - a LinkedIn profile without a photo and upto date data is like not wearing a suit at an interview. It might be ok but most people just expect it.

2. Don't hide your past - don't ever ever lie about it - that will wrap you up in guilt and fear and shoot your sanity to pieces.

3. You seem to feel you have a justification for the actions you took - see a lawyer, take reasonable steps to have your side of the story into court (counter suing your employer?). Someday your past will be used against you for political reasons - it will be very helpful to say "I am still in process of counter suing and the case is with the Florida blah" as opposed to "but I was innocent"

5. Taking people to coffee is great - taking them to coffee to discuss their experiences with your calling card areas is even better cos it has a higher hit rate and the "got any jobs going?" part comes much later

6. Never ever lie about your past. Ever

7. See 6. No matter how tempted.

If it were me (it isn't, so again, grain of salt), gentle contrition and hard-earned wisdom would be the narrative I'd apply. He's got nothing to beat himself up over, but the message he probably wants to send to employers is "that sucked, not ever doing that again".

I am overly cautious on public records that are not obviously favourable to oneself - certainly have an attitude of juvenile regret, but I would be tempted to look at this area closely. But it is certainly a long term thing and will not help getting a job now.

If that happens to you, I think the impression you don't want to create is that you vigorously contest the criminality of your actions. That impression comes freighted with the concern that you might think exploiting vulnerabilities without permission in order to make a point on Twitter is a good idea. That concern is, to many employers, both valid and relevant.

Instead, I think you want to create the impression that you've learned that the standards are strict for not messing with other people's systems without permission. And that you've learned better than most other professionals that systems in production are not to be trifled with out of process. And thus that of all the people a firm could hire, you're among the least likely to cause outages and disruption by making dumb out-of-process changes.

For whatever it's worth: if you want Exhibit A for why I don't have a lot of sympathy for people involved in "Lulzsec": breaking into sites and circulating credit card numbers and dumping databases created a set of circumstances that law enforcement absolutely had to respond to, and that's what sets up the crossfire that undisciplined but well-intentioned bug hunters get caught in. The people who go beyond doc'ing vulnerabilities to dump databases and take down sites are in some sense ruining things for everyone else.

I read that he POC'd a site, and then disclosed it the same day to @lulzsec.

The latter is what got him the felony, but you make it seem like the former or his timing was the problem.

The timing was a major problem. If you do have to defend yourself, I think saying you misjudged the nature of lulzsec is a defensible thing to say.

Re: jcampbell - I can't reply direct yet, but I am not sure that it is illegal to tell people how to pick a lock in the UK, even if you shout it out in some of the rougher pubs in the East End. It's just illegal to "go equipped".

I guess how the law is, and how the law would be under a sensible compromise is the OPs problem.

So, poor timing, poor choice of people to reveal it to.

I'm not in a situation where I can leave Orlando right now, but I will keep it in mind.

Thanks a bunch!

If I were the hiring manager (and I've been a hiring manager before) and were aware of your probation, I'd be curious and want to skim the plea agreement. But if you were doing white-hat stuff, as you say, it wouldn't interfere with me offering you a job.

I'd imagine federal probation is related to that program and has similar standards?

A petition to move to a larger job market (SF, Atl, or Austin) might start a discussion which opens other options to you.

My suggestion: Hit defcon in August in Vegas and network your ass off. Use your friends and their friends to get a job, not recruiters. Also start demonstrating that you've cleaned up your act by continuing infosec research and doing a few responsible disclosures. Showing that you've matured and have a track record of working with vendors to responsibly disclose vulnerabilities is a huge mark in your favor.

Also ping me personally at mmaunder at gmail so I have your info - send your resume and what you're after and examples of some of your work.

The OP said he's on probation. The most important thing is to complete the probation successfully (i.e., don't violate it and go to jail). Once he's finished probation, he may be able to get it removed from his record, or probation may not count as a "conviction" at all. I'm not sure how it works in Florida, but he should ask his lawyer about it. Never assume it's stuck on your (OP's) record forever.

That said, even with a conviction for the kind of crime you describe, it shouldn't hold him back. My conviction did keep me from working at places like IBM (I was actually hired, but then unhired when they found out I had a conviction). So I went to work with startups, worked with really cool & smart people, and made about 100 times as much money as I would have made at IBM. Even if your record keeps you from 20% of the jobs, that leaves 80%.

He should definitely apply for his rights restoration when eligible. I got mine done. Florida isn't currently restoring firearm ownership rights but that's good to get done if they ever start doing it again.

1. Hiring managers on the defensive side of infosec tend to have an "us vs. them" attitude towards attackers. The people in the trenches in this field are young and open-minded, but management can tend towards grey-haired and conservative.

2. Infosec is closely tied to risk management. Nobody is allocating enough resources to security to properly mitigate threats, and everyone's acutely aware of that. Lots of large, smart firms are going to avoid hiring people with criminal backgrounds simply to avoid the possibility of an own-goal.

3. Relatedly: even firms that spent nosebleed amounts of capital on security are going to have high-profile security events, and when that happens, the rest of the organization is going to look to the infosec team for someone to blame. The backgrounds of everyone on the team will be relevant in those finger-pointing exercises.

4. Finally, and as I've said elsewhere: the offensive side of security is dominated by contractors, and contracting clients tend to background check as a matter of course.

You can nurture an interest with software security as a developer, by being the developer on your team that knows the most about software security; you can keep doing the security stuff you like now without necessarily holding out for a role with "security" in the title.

"We need somebody with [insert some skillset]. Do we know of anybody?"

This would routinely be followed by a flailing search that would involve job boards, dead-end interviews, and eventually settling on a hire that may or may not work out.

I couldn't agree more with tptacek's advice: do not use recruiters. They tend to have very tenuous understanding of their clients' needs, and their clients don't want to use them, anyway. They would love to fill their open positions quickly with talented people, but due to day-to-day responsibilities, don't have the bandwidth to handle these relationships.

So the fastest way to get hired in my experience, would be to inject yourself in that process between the decision-makers and the jobs they need filled.

I don't think asking people to coffee is necessarily the most effective way to do this, since a lot of people you might like to talk to and would like to hire you are short on time. So my advice would be to cultivate relationships with people at any level at companies you might like to work at. I say any level because the decision-makers routinely ask developers if they know anybody who could fill the position. So attend meetups, or better-yet, start a meetup or ask companies you might like to work at if you could come in and teach a free lunch and learn on topic X. Very few would turn down a free training session for their employees.

Good luck! BTW, I don't think the felony makes a difference unless you are going for a job that requires clearance.

Orlando isn't so great for tech jobs -- though Disney is actively hiring. The FLL/Miami area long ago had a huge IBM and Harris presence, which resulted in a handful of tech companies having some sort of presence in the area.

Email me if you can move to the Bay Area

http://www.collegiseducation.com/careers/

But should you be so foolish as to respond, you will find that you have to do twice as much work to get to the person who can say yes, and they will wind up giving some of your money to someone else. And the recruiter is so desperately afraid of getting cut out that they will hide information from you and from the employer, or even lie outright. And that can bite you later.

Every company out there is fully capable of hiring a person that will add to their profits without paying someone else to do it. The key is to find the person that can say yes and talk to them, without the flappers and gatekeepers interposing themselves.

The only companies that will make a preemptive strike based on a background check are required to do so by contract or by government regulations, mostly to protect against data breaches. Banks, companies with access to medical records, and defense contractors, mostly.

The greatest strike against you is not, in fact, your felony. It is that you are a whistleblower that embarrassed your employer. You can explain that your felony was a result of choosing between breaking the law and violating your own ethics, and get some understanding there, but the instant they discover that you cost a former employer any significant amount of money for lawyers and PR firms, you will be judged "not a good fit for this position".

EDIT: OP was not employed by Sylint, so I guess this is not quite so bad.

Companies work with recruiters because they would rather touch that sleaze and clean it off later than to manage their own bozo filters. There is nothing particularly special about what they do--they are specialist salesmen. Their value lies in knowing a bare minimum about their product (you), and in knowing how to sell a pig in a poke to someone with a vague taste for bacon, or perhaps a ham sandwich. In short, they know who is hiring, or who might be soon.

But this month, everyone is hiring, or at least willing to consider it. First, drive around an office park near your home, writing down the names of companies. Next, find websites for those companies. If you can't find a website, you don't necessarily need to cross it off your list. The first thing any tech person would do is get their company a domain name and static home page with minimal business information. Those companies won't hire you, but they might be willing to do a consulting contract with you to get their name and logo on the web.

For the rest, check to see if they have a jobs and careers section, where you can apply directly. That's just to see what they really need today. The more non-tech people they hire now, the more tech people they will need to support them. What you are really searching for is direct contact information for one or more technical middle managers, and the CTO, CIO, or COO of the company. This information is often available just by cold-calling the main business number for the company and asking for it. I know a person who had a job doing just that, except it was for the printing and paper industry.

Once you know who has the authority to hire, call that person and try to determine if they have any immediate need for tech people. If they do, try to find out what skills they would need to have. You are now doing exactly the same thing most recruiters are doing. Go down your whole list, and apply directly to the companies that are hiring, with the person who has the authority to say yes. If you can somehow manufacture a social link to that person, your chances will improve dramatically.

If you never speak directly with someone who can hire you, you will never be hired. It's that simple.

To clarify: I was not employed at Sylint. I was a bored college student at UCF at the time.

Everything else: Thank you. :D