By silicon.com, 23 September 2004 16:30
The hiring of accused Sasser virus writer Sven Jaschan by a German IT security vendor has once again reopened the debate about whether convicted or known hackers and virus writers can ever be trusted to work in legitimate IT jobs.
The question split silicon.com's CIO Jury this week with one CIO saying you should "never be too proud to learn" while another likened hiring a hacker to getting serial-killer doctor Harold Shipman to check out your sick mother if he had served his time and been released.
However, the IT security vendors have presented a united front saying hackers can't be ever be trusted to turn gamekeeper. That stance is somewhat understandable. The IT vendors have to be seen to be whiter than white and a breach resulting from hiring a computer criminal would ruin trust in their products and potentially bring down their whole business.
While many of these criminals are just bored script kiddies with basic coding knowledge, some are undoubtedly extremely talented. Surely it is a waste of that talent to let a teenage prank deprive the IT world of those skills being put to good use later in an individual's life.
There are examples of reformed hackers, one of the most famous being convicted cybercriminal Kevin Poulsen who worked a regular day job and then hacked by night under the handle 'Dark Dante'. He famously hacked an LA radio station's phone lines to ensure he would be the 102nd caller and win a car. The FBI finally tracked him down and he was sentenced to 51 months in jail.
Poulsen is now the respected editor of an online IT security news website, SecurityFocus, and an expert commentator on security developments and trends.
Here in the UK there is Robert Schifreen, the man who hacked BT's Prestel network and accessed an account belonging to Prince Phillip in 1985. He was eventually acquitted after an appeal to the House of Lords but the incident brought about a change in the law, with the introduction of the Computer Misuse Act making it illegal to hack computers.
Since then Schifreen has spent many years as an IT journalist and speaking at conferences - he was last seen putting his skills to good use working for the IT department at the University of Brighton.
Clearly this is one issue where there isn't a definitive right or wrong answer. For some companies the risk to the business of hiring an 'ex-hacker' (and let's forget this stupid hacker versus cracker debate - if you break into computer systems you're a hacker, end of story) is simply too great. For others it may be worth taking the risk to get access to a special IT talent.
The subject also raises moral issues about the duty of society to rehabilitate convicted criminals who have served their time and shown remorse or regret for their actions. Clearly serial computer crime offenders are unlikely to be wanted in any corporate IT department or IT company but what about someone who made a mistake just once?
Essentially it comes down to a judgement call on each case by the person doing the hiring - and a great deal of trust. Either way, this is a debate that's not likely to end anytime soon.
Would you hire a hacker? Tell us your thoughts in Reader Comments below.
Comments
There are 11 comments. Join the discussion
1. anonymous
Give me a break. No "worth while" security company would hire a known hacker / cracker. Cluely was dead on when he said that hackers should NOT be hired. Additionally, it sends the wrong message to the computer underground: hack a box and get a job. No. Bad dog.
The Sasser author knew EXACTLY what he was doing when he coded the private exploit. I wouldn't be surprised if we hear about a security breach at the company that hired him in the upcoming year.
2. anonymous
It's not really about whether one virus writer has any 'talent' that might be usable.
It's about whether we give future potential virus-writers the message that they may be rewarded with a job if they can demonstrate their 'talent' by infecting other people's computers.
There's a parallel with the horrific middle-east hostage taking. The short term view might be to do a deal. But once you start rewarding people for their misdeeds, you encourage others to do the same.
3. Malaki
Anonymous,
You are a moron! "Worth while" companies do higher known hackers/crackers all the time. At all the hacker conventions their are well known companies their just to recruit these hackers and crackers... It is not uncommon for someone to get 3 - 4 job offers in 4 hours.. Most of the offers offering a 6 figure income.
4. Gary Love
As one who evaluates and recommends security tools to my customers, I would never recommend that a customer purchase a product or service that has been developed by a criminal hacker. The security risk is too great. Such people could probably be used for penetration testing. But I would have qualms about hiring a criminal for penetration testing out of the concern for encouraging many others to try to prove themselves worthy of a job through criminal behavior.
5. Jeff Doe
"Leader: Hackers should be hired - sometimes"
is a virus writer really consider a hacker now too?
6. anonymous
Of course any hacker with enough talent should get hired. It's the only chance for them to be able to repay at least a noticably amount for the damage they caused.
7. Angus Doyle
Frankly I am surprised at the comments here, I can name a good few companies that have hired hackers which would include some of the largest finance, insurance and pension companies. Having first hand knowledge of this, hackers can be a very useful commodity to any organisation. Each person has to judged on there merits.
The question I have is what makes you trust a multi-million £ corporation over an individual? who is to say that the software/hardware we use today has our privacy in mind.
If it came down to trusting a hacker or a corporation, I would be hard pushed to give an immediate answer.
Having asked the question many times would I hire one, well I guess it would depend. If I was a security company then I would have no problem hiring a hacker, after all I would want to stay ahead of the game. You really do need someone to think like a hacker if you where to stop one.
Take the Shimomura and Mitnick situation, both where in fact hackers, both working on different sides of the law allegedly.
8. anonymous
How many hackers already work for security organisations?
At least if you hire a hacker you know what they are capable of - and they will know and hopefully appreciate the consequences of their actions (time behind bars) - other could be hackers (I suspect the number to increase as more hackers and spammers do business) could turn if the 'price is right' - who would you trust more; the young hacker who has spent time behind bars for his actions or the 'could be' hackers you maybe know little about?
9. anonymous
Three thoughts:
1) Another respondant has pointed out that corporate sellers of 'security' software will interpret your security requirements in terms of making money - not in and of itself a bad thing but worth bearing in mind.
2) How many IT security companies already employ hackers that just haven't been caught yet?
3) Let's not get confused between virus writers and hackers - there are may different reasons to become fascinated by computer networks, by no means all of them bad. However, there is only one reason to want to become a virus writer...
10. malaki is Imprudent
Malaki I bet you think your a hacker but guess what, your not and you're not the one going to tech conventions and getting job offers for 6 figure jobs. So, stop acting like a big dog when you are a little non-potty trained puppy.
11. anonymous
"[And] let's forget this stupid hacker versus cracker debate - if you break into computer systems you're a hacker, end of story."
You would think that a news site, or a reporter, especially one covering the IT field, would be precise in it's use of language.
The word hacker has been around along time, and until the wide spread use of it by popularist media to label a person who defeats a computer security system illegally, it meant a person who created hacks. A good portion of the code submited to the Obfuscated C Code competition were prime hacks that had nothing to do with cracking the security of a system.
Not all hackers are crackers, and not all crackers are hackers.