TechRepublic member Aldanatech asked peers in the Technical
Q&A section whether they would hire
a security specialist “convicted for using his or her skills for illegal
purposes.” While members chimed in with responses varying from resounding no’s
to yes—but only for training staff on
hacking methods and countermeasures—we asked four executives and managers in
the security space their answers to Aldanatech’s question: “Would you hire a
rehabilitated cracker?” Here are their responses:
Bill Wall, Chief Security Engineer at Harris Corporation
A cracker does his work for malicious reasons—to either
destroy stuff for financial gain or to show he can penetrate with some damage. Now,
it’s tough to justify hiring a cracker, reformed or not.
There are cases in which you may have a reformed person—as
long as they can show that that skill is indeed necessary, and they have indeed
changed. You wonder if they have done more than what you thought they did
during penetration testing, for example. You have to find out what happens if
they become disgruntled—then you have a dangerous internal threat, which is
usually more problematic.
However, if you have a choice, there are a lot of folks out
there. I’d rather find someone who has training and is a security professional.
After all, it’s easy to hack into it; it’s much more difficult to fix it up or
to write protocols to fix security issues.
I’ve interviewed and talked to several. In interviews, I can
weed out the guys who brag that they got in versus those who have taken extra
courses and understand security penetration and follow the laws in management; there
are rogue-types who think they’re better than everyone else and have the
attitude to prove it. I would be reluctant to hire the rogues. There is a trust
issue to deal with. I can find, nowadays, security professionals who are
trained or learn on the job.
Christopher Faulkner, CEO of C I Host
We have not hired any knowingly. That’s not to say that I
wouldn’t. I’ve always had a theory that they do know some of the ins and outs
that non-hacker type people don’t. There are some very good uses for their
skills. I do think they definitely have marketable skills.
I think there are two types of hackers. There are the ones
so full of themselves with a lot to prove, and there are some that realize they
have garnered skills that other folks don’t have and want to utilize those
skills from the inside out to protect a network. My fear is getting one of
these renegade ones that turn on you.
In our data center operations personnel, we have 39 people,
and I can tell you by looking at their skills that, at some point, many of them
were hackers. They fit the profile of young, male, nonconformist. They’re not
into corporate America, they don’t dress the part, but their skills are
extraordinary. That’s what we look for more as a company is what you bring to
the table. We don’t require you to have a college degree. We look at hands-on
experience. There is no better job experience than being a hacker.
I do think they (employees) are keeping abreast of the
latest and greatest hacks and what everyone is doing out there. I think they
are kind of involved in the chatter and keep their ear to the ground of what to
look for, and I think that’s important.
Eric Schultze, Chief Security Architect for Shavlik Technologies
Schultze helped write
the book “Hacking Exposed’ and did ethical hacking from 1997 and forward,
breaking into banks, insurance companies, and other corporations—telling them
how he did it and how to fix it.
I feel that a good portion of these rehabilitated
individuals probably are very legitimate and could do an excellent job. They’re
obviously very smart, and I, personally, could rely upon them to get all of
this work done and do it in a responsible manner.
However, I would have a problem getting my shareholders and
my corporate executives to buy off on this, to be okay with the risk. Because
even though I think, yes, they can do a great job, and even if they in fact do
a great job, if anything were to happen, for instance, if all of the machines
in the accounting department all of a sudden crashed, and this rehabilitated
person who is working for me happened to be walking through the department at
that time, they would blame him.
I think the time when I would fight for a Kevin Mitnick or
other rehabilitated crackers, would be instances where I’d bring Kevin in and
have him give a speech to our company about how he does social engineering or
other things. We’re simply bringing him in, getting his knowledge and education
to give presentations, but I would not be able to use him in a consulting role
or an actual network administrator type role.
Dave Bixler, Information Security Officer at Siemens Business Services
There is a difference between someone who has been
criminally prosecuted and someone who is just reformed. Because of our customer
requirements, we have very special circumstances regarding background
investigations and those types of things.
I’m all for offering people an opportunity, but typically
the HR issues associated with someone convicted of a felony, particularly in a
computer-related crime, would make it very difficult for us to hire them, even
if I wanted to. Much as you wouldn’t hire a bank robber to be a bank guard, our
customers are banks so they would tend to frown on us hiring that type of
individual just because of the way we’re interconnected with their
environments. In the business environment, the reality is that we are all
Typically the mindset is “we need to hire this guy because
he understands how crackers think.” I totally reject that argument. I don’t
care what the enemy is thinking. My job is not to psychoanalyze the enemy; my
job is to stop the enemy from doing bad things. You may ask their opinion on
occasion, if you want to get more insight, but you don’t say, “You know, you
were so good at robbing banks. Now you’re reformed. We want you to become a
detective.” That being said, I’d apply that argument to probably 99 percent of
the crackers out there.
The 1 percent—the guys who really understand UNIX, Windows,
network security, firewalls—the true crackers, the guys who founded the
security companies—those are the only people I’d be interested in talking to.
Not because of their “cracker skills,” but because of their technical skills.