Have you hugged a hacker today?

[security curmudgeon <jericho () ATTRITION ORG>]

From: Weld Pond <weld () l0pht com>

http://www.ecommercetimes.com/news/viewpoint2000/view-000829-1.shtml

Have You Hugged a Hacker Today?
By Mick Brady
E-Commerce Times Columnist
August 29, 2000

Should hackers be allowed to rejoin the high-tech workforce?

The Information Age is killing critical thinking. The steady barrage of
more facts and figures than any human mind can digest results in absurdly
swift processing with little or no reflection, much less complex
deliberation. The ever increasing pressure to rush to judgment can lead to
strangely counterproductive conclusions -- as in the case of what to do
with notorious ex-hackers who are ready to go back to work.

There are a lot of people who think that a fallen anti-hero, like
convicted hacker Kevin Mitnick, should have a few appendages removed to
keep him from ever again committing a computer crime. Less extreme, more
popular opinions range from forever barring him from access to computers
to forever barring him from talking about computers -- or at least, from
getting paid for it. Only in America does the real life sentence begin
after a criminal gets out of jail.

Throw the Book

For those readers who are feeling the steam building between your ears,
let me state unequivocally that I favor prosecution of cybercrime to the
full extent of the law. I also support the adoption of new laws to address
the potential for technological innovations in crime. Nevertheless, I say
that after a criminal has paid his debt to society, it should be stamped
"Paid in Full." Anyone who thinks an ex-con hasn't been punished enough
should tell it to the judge.

Mitnick, for example, was the subject of an intense FBI investigation that
resulted in a sentence of 46 months in federal prison. "Our vigorous
prosecution of Kevin Mitnick sends a message to anyone else who believes
that the new technological frontier can be abused for criminal purposes,"
said United States Attorney Mayorkas last year. "We will track you down,
electronically or by any other means, prosecute you and put you in
prison."

Mitnick's plea agreement with the government established that he would be
on supervised release for three years, during which time his access to
computers and his employment in the computer industry would be severely
restricted. He also agreed that any profits from films or books based on
his criminal activity would go to the victims of his crimes for a period
of seven years following his release from prison.

Wipe the Slate

That's all good. The point I am making is that when his sentence is over,
it should be over. There was an uproar earlier this summer when Mitnick
got the go-ahead to work as a Web writer, security consultant and
lecturer. I say, if it's okay with the court, let the guy get on with
doing what he does best. I don't think it would serve anyone's interests
to redirect him into a career as an airplane mechanic or a backhoe
operator, for example.

People who have screwed up, even very badly, should be able to make a
fresh start when they are permitted to re-enter society. That used to be a
fundamental American principle. Sure, they are going to carry around a
certain amount of baggage -- that comes with the territory. They will have
to inform prospective employers of their convictions, and those who became
famous for their crimes will probably never fully restore their sullied
reputations. But they should be allowed the opportunity to try.

What's In It for Them

The impulse to draw trigger-quick conclusions has led some observers to
think that acquiring fame as a hacker is an easy ticket to a great job.
That notion presupposes that the high-tech companies and government
agencies who court hackers would benefit in some way from their notoriety,
which makes no sense. Would the presence of a known felon on the staff
boost investor, consumer, or citizen confidence?

What the prospective employers are undoubtedly interested in are the
skills of the former offenders, which are valuable resources that should
be put to good use. The fame of an individual like Mitnick ensures a high
level of security surrounding his hire. I find it impossible to believe
that a known hacker would be allowed to function without some pretty
serious checks and balances in place.

After all, the employer would not want its own systems to be vulnerable to
attack -- that's a given. Also, the employer would be responsible for the
individual's work product, and thus could be liable for damages if the
hacker were to strike anyone else.

Furthermore, hackers are by definition intelligent people. Having been
caught once, only the most grandiose among them would ignore the
likelihood of being caught again -- especially while performing a job
under the scrutiny of alert and aware supervisors.

The Deterrence Factor

Some people argue that with examples like Mitnick, teen hackers will be
encouraged to follow in his "glamorous" footsteps with an eye to landing a
six-figure job after they have done a little easy time in the federal pen.

There is something wrong with the kind of thinking that supposes any
amount of prison time is "easy." For skilled tech workers, it is easy to
get the attention of recruiters, to land job interviews and to attract
offers with top salaries and attractive perks. It is not easy -- for
anyone -- to give up several years of personal freedom, even in a minimum
security joint.

I don't think that teen hackers embark on their adventures in cybercrime
with long-term career development in mind. They are in it for the thrill
of doing something no one else has yet accomplished, and they have every
intention of getting off scot-free.

Use the Force

If those who have still escaped detection can be lured away from the dark
side by the offer of a handsome salary with a reputable organization, I am
all for it. Better than leaving them to their dangerous devices.

As U.S. Assistant Secretary of Defense Arthur Money recently said to a
crowd of cyber-vandals in Las Vegas, Nevada, "I would rather have my
attention focused on what rogue states are doing to us than being harassed
seven times a day figuring out what some guy is doing to us."

Guys like Mitnick are not role models for anyone. There is nothing
glamorous about getting busted. No one cheers for the fellow who meets the
news cameras with his sweater pulled up over his head.

Rehabilitated computer criminals can become positive role models, however,
if allowed to turn their genius toward solving some important problems for
society.

Whether ex-hackers are viewed as clever scam artists who are conning their
employers out of undeserved paychecks or as valuable resources who have
talent and expertise to contribute to the world is entirely a matter of
perception. Nevertheless, a careful, dispassionate approach to the subject
-- rather than a knee-jerk response -- must yield the conclusion that the
cynical point of view simply doesn't make sense.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".