By Will Sturgeon, 29 April 2003 13:25
NEWS A top security expert has hit out at claims by convicted hacker Kevin Mitnick that reformed cyber-criminals have a lot to offer the IT security industry. In a latter day reworking of the old 'hire a thief to catch a thief' adage, Mitnick, speaking at last week's RSA security conference in San Francisco, called upon called upon companies to open their doors to former hackers and virus writers, claiming they have the knowledge to safeguard networks against future attacks. Advocating second chances for convicted cyber-criminals, Mitnick said: "I think that it depends on the person - what value they bring. Trust has to be evaluated on a case-by-case basis." However, his words did little to convince Vincent Gullotto, vice president of Network Associates' anti-virus emergency response team (AVERT). Gullotto said: "If Kevin Mitnick turned up my doorstep asking for a job, I'd tell him, 'Sorry, but we don't have any jobs going'. "I don't think he would get a job anywhere in this industry. There is a strong feeling within the anti-virus and security sector that you shouldn't give these people jobs - no matter how reformed they are, or how reformed they say they are." Gullotto's words echo those of Ira Winkler, chief security strategist for Hewlett-Packard who last week said: "How do you explain to your shareholders that you are going to hire someone who has been jailed [for cyber crimes]?"
Comments
There is 1 comment. Join the discussion
1. anonymous
Although I have never been caught for hacking, I was employed for my experience. I also have administrative access to my corporations entire infastrcture. I have not nor will I configure any backdoors into my systems for use after termination of my employment. I have ethics just as any normal working joe does and I pride myself on them.
I continually am subject to background and security checks, as are all employee's. My employer, due to the type of business we conduct, does not hire felons, and even misdemenors are put under a microscope.
I know of quite a few companies who provide home and business security systems who actually hire convicted burgulars etc, to test the resilliance of their new systems before they release them for installation.
How better to ensure a reliable system than to use the expertise of those who are skilled at defeating them.
My point is, most IT security people have the mindset to simply secure the system. As I tend to secure my systems and networks as a result of my defeating it.
I am not saying just because a person as been convicted you should hire him, of course you have to take everyone on a case by case basis. But that's difficult to do if you sterotype people as these debates tend to do.
For me personally, I don't hack to steal files, records, etc but rather for the technological challange. Now from my viewpoint, I have the Holy Grail. I have written authorization to hack at my Corporations network. Of course it is written in legal-eaze and I signed a Non Disclosure Agreement, at my request, but I can now satisfy my thirst for knowledge without the chance of jail time and I get paid for it.
Of course not all hackers thirst is for knowledge. Some do it, whether they realize it or not, for recognition from their peers, which is sad.
I do believe that there are a lot of fine lines that need to be drawn in the "Hire a Hacker?" debate and I would not recomend hiring someone purely because he is a convicted hacker.
My belief is that true power is not money, it is not recognition, but it is knowledge. The only greater power is not to use that power to negatively affect others or their welfare.