Security conference turns nasty over 'employ a hacker' claim

NEWS Would you give a convicted hacker control of your corporate network? That was the topic for heated debate at the RSA conference in San Francisco where notorious cyber criminal Kevin Mitnick made the case for hackers everywhere. Ira Winkler, chief security strategist for Hewlett-Packard, inisted hackers bring no special security knowledge and are an unacceptable risk to any company that hires them. Winkler said: "How do you explain to your shareholders that you are going to hire someone who has been jailed, not once, but multiple times." The question was aimed directly at former hacker Kevin Mitnick, who has multiple convictions for computer crimes and who also spoke on the panel at the RSA Security conference in San Francisco. Mitnick contended that hackers should be hired, but only after close evaluation. He said: "I think that it depends on the person - what value they bring. Trust has to be evaluated on a case-by-case basis." The argument mirrors the security industry's angst about its past. While some security experts learned their craft in the government sector or through school, many of today's consultants and researchers were yesterday's hackers. In many cases, the person may not have done anything illegal, but in other instances, it was a matter of not having been caught, Mitnick said. "Many people in this industry who are well-respected used to hack - I traded vulnerabilities with some of them," said Mitnick, now a security consultant. Companies still try to hide that fact today, he said. "You have to question people who stand on a high ladder and say that they don't hire hackers, when in reality they do." Mitnick, arrested in February 1995 for computer crimes, spent nearly five years in prison and another three years under restrictions that limited his use of technology. Now he gives talks on security, has written a book and has started his own security company, Defensive Thinking. However, in this war of words, Winkler countered, doubting whether anyone who had been convicted of illegal hacking could reform to the point that they could be put in a position of absolute trust, such as in the role of a system administrator. "The reason that [hackers commit crimes] is because they have already rationalised [criminal acts]," Winkler said. "I heard [Mitnick] call phone 'phreaking' (the practice of tapping into phone networks to make free long distance calls) a hobby. It's not a hobby, it's a felony." Christopher Painter, deputy chief for the Computer Crimes and Intellectual Property section at the US Department of Justice and another member of the panel, agreed that hackers convicted of cybercrimes haven't shown responsible behaviour and thus should be suspect. He said: "What hackers have shown is a disrespect for others' rights and property. What does that mean, especially if I am going to give them the keys to the kingdom?" Painter, who prosecuted Mitnick's case, stressed that hiring hackers adds a risk to the security equation that companies may not want to take. However, Jennifer Granick, the clinical director for Stanford University's Center for Internet and Society and an attorney who has represented those convicted of cybercrimes, argued that some activities in security require a person to have a hacker's mindset. "There is something about computer security that requires you to think about how to circumvent protections," she said. "You have to anticipate those uses to protect against them."