Information Security News mailing list archives
Should You Trust a Reformed Hacker?
From: InfoSec News <isn () C4I ORG>
Date: Thu, 10 Aug 2000 01:44:37 -0500
http://www.businessweek.com/bwdaily/dnflash/aug2000/nf2000088_425.htm Forwarded By: Eric Budke <budke () budke com> AUGUST 8, 2000 By Alex Salkever Should You Trust a Reformed Hacker? Top security outfits are excluding anyone with a tainted past -- no matter their expertise. That's bad news for the Kevin Mitnicks He's fresh out of jail, five years after a controversial and highly publicized criminal-fraud conviction that marked him as the country's most dangerous computer criminal. Now Kevin Mitnick wants to return to the Internet fold, this time as a good guy. Mitnick will make his first post-prison paid speaking appearance on Sept. 27, at a Los Angeles conference organized by Giga Information Group. Naturally, he will address computer-security issues. His scheduled public appearance has caught the attention of many folks in the Internet-security sector. Mitnick's speaking gig shines a bright light on a touchy topic for the business: Namely, can a cracker -- a malicious hacker who broke into computers illegally -- ever be trusted to help guard sensitive systems for corporate or government clients? As the sector grows by leaps and bounds and Internet-security companies struggle to find fresh warm bodies, the issue grows in prominence. "The Kevin Mitnick story has raised significant questions in our marketplace," says Chris Darby, CEO of Net-security firm @stake. The saga highlights the dilemma involving a large number of computer aficionados with hacker pasts. Mitnick had been incarcerated since February, 1995, on charges of wire fraud and illegal possession of computer files stolen from such companies as Motorola and Sun Microsystems. He was arrested after what Assistant U.S. Attorney Christopher Painter called "a countrywide hacking spree" that earned Mitnick a spot on the FBI's Most Wanted list. Over a 2 1/2-year period, Mitnick was alleged to have hacked into computers, stolen corporate secrets, scrambled phone networks, broken into the national defense warning system, and caused millions of dollars in losses. Mitnick is an extreme case -- most hackers never get caught. In fact, these days, many are out in the high-tech workforce. It's possible that some even hold top jobs at computer-security companies. Does a hacker's past mean he should be excluded from jobs that might be a perfect match for his skills? UNIX ADVENTURES. Maybe, maybe not. In a recent poll published by CIO magazine, 31% of respondents said they would hire Mitnick to work for them. And many hackers believe a "No blood, no foul" ethos should be applied to the Internet-security field. "I exercised poor judgment. That's how I learned and how I got good at what I do. But I can say for myself, I never intentionally damaged a computer system or sent a virus or erased anyone's information," says Mitnick. Rather, according to Mitnick, his transgressions should be viewed as misdemeanors, akin to trespassing, rather than felonies. He points out that such intrusions are an accepted artifact of an earlier time, when computing resources were scarce and hackers routinely broke into big corporate or university systems, partly for adventure, but also so they could play on powerful Unix machines beyond the reach of most individual users. For Mitnick and others in the underground, the line that separates a hacker from a cracker is intent to harm or reap personal gain. "Would I recommend hiring someone who accessed a banking system without authorization and used hacking skills for some kind of financial gain? I would be inclined not to. It comes down to looking at the morals and the values of the person," says Mitnick. CAPTAIN'S LOG. But the party line among top security companies these days is total exclusion of any questionable characters. Any criminal record means an automatic no. "We do not believe there is room for cyber-criminals in this industry. The real question is whether a responsible executive would take advice on a strategic business issue from someone who has a criminal record," says Darby. For @stake and others, background checks beyond criminal records are becoming increasingly common to ensure a potential hire does not have a dark past of, say, breaking into the Pentagon's systems. "Our company policy is not to hire crackers. We ask all candidates their history with hacking and cracking. We ask them if they have knowingly gained unauthorized access to a system. If they say yes, then we don't hire them," says Stuart McClure, president and chief technology officer of Internet-security consultant Foundstone. Beyond the moral issues, the colorful cast of characters in the hacker underground is not exactly a good fit with procedure-oriented corporate security auditing. "Would you, as a chief investment officer of a Fortune 500 company, feel comfortable going to your board and saying 'We had a security audit, and Captain Bazooka says we're O.K.'?" asks Frederick Rica, an Net-security expert with PricewaterhouseCoopers. IMPORTANT CONTRIBUTION. Then there's the fear that Captain Bazooka could go off on your system. "There's always a potential that reformed hackers may revert back to their old ways. In a worst-case scenario, they would share confidential information with others in the underground," says Rica. He would know. One of his clients hired a well-known hacker to do penetration testing and later found the hacker's exploits inside his company's system splashed across a cover story in underground hacker magazine 2600. Off the record, some computer-security managers expressed sympathy for Mitnick. Others suggested that convicted hackers be given a second chance in a limited arena until they prove themselves trustworthy and loyal. "You can bring someone in for a part of a project or to do only certain parts of the audit. You don't have to give them the keys to the kingdom," says Jim Williams, the director of business development at computer-services and consulting firm S3 Networks. For his part, Williams will not hire criminals and openly briefs customers on the background of his security consultants. And he looks to hire people with security clearances and backgrounds at big corporations or in the government. He's not alone: @stake, Foundstone, and PricewaterhouseCoopers all prize candidates with clearances and Fortune 500 pedigrees. The presence of such individuals, in most cases, represents a clear sign of the integrity of the company. That's bad news for the Kevin Mitnicks of the world. That said, hackers clearly have an important contribution to make. "Do you want to hire someone who went to school for four years in car security, or do you want to hire the person who is an expert at stealing the car?" asks Mitnick. The answer is both. But just be careful who has the keys and who's left alone in the parking garage with the Ferraris. Salkever writes about Internet security and technology for BW Online ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Should You Trust a Reformed Hacker? InfoSec News (Aug 10)