Do you include your malicious code in your portfolio?

[gentlemanscratch]

So let's say you're applying for a job that's not in the security industry. Let's say as an application/game developer, etc. Would you include your code that could be considered 'malicious' or 'illegal' in the portfolio of work that you'd present to your potential employer? Would it still be considered unethical if you never used your code for anything other than testing purposes?

I guess it wouldn't make much sense to include work like that if you're not going into the same area but it's always good to show what you can do and what areas you're effective in. But if you're applying for a job in a completely different area I don't see why your employer would bother to take the risk of hiring someone who spends their free time writing backdoors and shit. I was wondering this for myself but now I want to know what your guys opinions are on this or if you've been in a similar situation.

Including naughty code in your portfolio, yay or nay?

[iTpHo3NiX]

I guess it depends on the employer and situation. In game development, depending on what the malware has as far as code (or is it a similar language or the same that you would be developing in?) Programming habits. Although if its just illegal I wouldn't have it, however to show certain skills may be worrhwhile

[Kulverstukas]

I wrote StealthStalker malware some years ago and I proudly publicized everything on my blog and code archive. I believe what iTpHo3NiX is true - if it's plain illegal then don't, otherwise it's nothing bad to show it off if you're explaining it and giving code, obviously some disclaimer has to be in place too it could be a good way to show how you circumvented some of security measures for your malicious code, specially if it's related to the work you're applying for.
But once I was going to an interview and the employer opened my blog, scrolled through while talking to me and when he saw the blogpost about Stealthstalker, I think he wasn't pleased like "oh..."

[Deque]

People who are not in the IT Security business have a hard time to understand, why this code can be a good thing. So even if it is not illegal what you did, and ethically ok from a security perspective (e.g. exploits, PoCs), you cannot expect that they will understand why it is ok. People who don't occupy themselves with security, think it is evil to create any code that could be used by malware.

Sometimes the wording can make a huge difference. E.g. you can call a program password-recovery or you can call it password-brutforcer/password-stealer. Although it might do the same it will give an entirely different impression for the person seeing that program. So if you decide to show off any potentially problematic code, make it clear from the beginning that it is actually a good thing. Make it sound good.

Anyways, I would not do it for a non-security-related job application.
Even for a security-related one you have to be careful with that.

[DoctorT]

Deque has pointed out that wording can make a huge difference. Password brute-force simply sounds evil to non-programmer management teams. While "recovery" can have different part of brain activated. Even so, I do not think I would include malware in any portfolio, because honestly, do you think those guys at Blizzard will hire me if they know WoW could be potentially hacked by me? Or, like the guy who was promised the cake at Valve (yes, "the cake is a lie" reference) and then instead swatted by Gab because the source code of HL2 was simply accessed by him.... you know, if this hacker had just shut his mouth and didn't get lucrated to a job in Valve, he wouldn't have faced custody. Do you think the makers of WoW, or even Elder Scrolls Online, would even be slightly pleased to have an active exploit in their game included in the job application by someone that wants to be their employee?

[Kulverstukas]

Deque has pointed out that wording can make a huge difference. Password brute-force simply sounds evil to non-programmer management teams. While "recovery" can have different part of brain activated. Even so, I do not think I would include malware in any portfolio, because honestly, do you think those guys at Blizzard will hire me if they know WoW could be potentially hacked by me? Or, like the guy who was promised the cake at Valve (yes, "the cake is a lie" reference) and then instead swatted by Gab because the source code of HL2 was simply accessed by him.... you know, if this hacker had just shut his mouth and didn't get lucrated to a job in Valve, he wouldn't have faced custody. Do you think the makers of WoW, or even Elder Scrolls Online, would even be slightly pleased to have an active exploit in their game included in the job application by someone that wants to be their employee?

Why not? hackers (sometimes) get hired by companies for their skill to find bugs their software, which means that he understands them and can fix them, even more he can make protections against it. But ofc there are those that throw those people in jail and claim the company found the bug.

[Deque]

Why not? hackers (sometimes) get hired by companies for their skill to find bugs their software, which means that he understands them and can fix them, even more he can make protections against it. But ofc there are those that throw those people in jail and claim the company found the bug.

That's the thing. A lot of companies see people like us as a threat, not as someone who could be on their side and help them to secure their systems.
IT security is underrated by a lot of companies, they don't want to spend money on it, and even more they don't want people to tell them where they suck. "Shh. Just ignore the problem and it will go away."
I think those who actually hire hackers are the minority.

[DoctorT]

Why not? hackers (sometimes) get hired by companies for their skill to find bugs their software, which means that he understands them and can fix them, even more he can make protections against it. But ofc there are those that throw those people in jail and claim the company found the bug.

Of course companies hire security professionals. But as Gray Hat Hacking puts it, we currently have no legal backing. But if Valve could put a guy in jail that had simply accessed the source code of Half-Life 2, and had FBI/CIA support (and the whole "I'll interview ya" was FBI's idea) and couldn't get the slightest black mark in the hacking community, how can you expect for Bethesda or Blizzard to not perform such action? Likewise, most managers don't know crap about things they manage. Let alone complicated C# bufferoverflow exploit to be understood by them.

[gentlemanscratch]

Yeah looks like the overall opinion here is that the people hiring you most likely ain't gonna know shit and will likely see you as a possible threat. Really sucks though, can't even show off the work I do in my free time, have to write other code I likely won't want to write to include in my portfolio. Real shame.

[applebucked]

I mostly include my sysadmin/automation code in my portfolio or at least in my resume but I also mainly work for information security companies which puts me in a lucky position.

[Dr4g0n]

Like others said, if you call it something professional and have good code for it, your employer shouldn't care. Like instead of calling your stress tester, "D4RK C0M3T 31337B00T3R", just called it, "overhaul stress tester" or something.