Would you hire a rehabilitated cracker?

Is hiring a security specialist "convicted for using his or her skills for illegal purposes" worth the risk? We ask the experts.

TechRepublic member Aldanatech asked peers in the Technical Q&A section whether they would hire a security specialist "convicted for using his or her skills for illegal purposes." While members chimed in with responses varying from resounding no's to yes—but only for training staff on hacking methods and countermeasures—we asked four executives and managers in the security space their answers to Aldanatech's question: "Would you hire a rehabilitated cracker?" Here are their responses:

Bill Wall, Chief Security Engineer at Harris Corporation

A cracker does his work for malicious reasons—to either destroy stuff for financial gain or to show he can penetrate with some damage. Now, it's tough to justify hiring a cracker, reformed or not.

There are cases in which you may have a reformed person—as long as they can show that that skill is indeed necessary, and they have indeed changed. You wonder if they have done more than what you thought they did during penetration testing, for example. You have to find out what happens if they become disgruntled—then you have a dangerous internal threat, which is usually more problematic.

However, if you have a choice, there are a lot of folks out there. I'd rather find someone who has training and is a security professional. After all, it's easy to hack into it; it's much more difficult to fix it up or to write protocols to fix security issues.

I've interviewed and talked to several. In interviews, I can weed out the guys who brag that they got in versus those who have taken extra courses and understand security penetration and follow the laws in management; there are rogue-types who think they're better than everyone else and have the attitude to prove it. I would be reluctant to hire the rogues. There is a trust issue to deal with. I can find, nowadays, security professionals who are trained or learn on the job.

Christopher Faulkner, CEO of C I Host

We have not hired any knowingly. That's not to say that I wouldn't. I've always had a theory that they do know some of the ins and outs that non-hacker type people don't. There are some very good uses for their skills. I do think they definitely have marketable skills.

I think there are two types of hackers. There are the ones so full of themselves with a lot to prove, and there are some that realize they have garnered skills that other folks don't have and want to utilize those skills from the inside out to protect a network. My fear is getting one of these renegade ones that turn on you.

In our data center operations personnel, we have 39 people, and I can tell you by looking at their skills that, at some point, many of them were hackers. They fit the profile of young, male, nonconformist. They're not into corporate America, they don't dress the part, but their skills are extraordinary. That's what we look for more as a company is what you bring to the table. We don't require you to have a college degree. We look at hands-on experience. There is no better job experience than being a hacker.

I do think they (employees) are keeping abreast of the latest and greatest hacks and what everyone is doing out there. I think they are kind of involved in the chatter and keep their ear to the ground of what to look for, and I think that's important.

Eric Schultze, Chief Security Architect for Shavlik Technologies

Schultze helped write the book "Hacking Exposed' and did ethical hacking from 1997 and forward, breaking into banks, insurance companies, and other corporations—telling them how he did it and how to fix it.

I feel that a good portion of these rehabilitated individuals probably are very legitimate and could do an excellent job. They're obviously very smart, and I, personally, could rely upon them to get all of this work done and do it in a responsible manner.

However, I would have a problem getting my shareholders and my corporate executives to buy off on this, to be okay with the risk. Because even though I think, yes, they can do a great job, and even if they in fact do a great job, if anything were to happen, for instance, if all of the machines in the accounting department all of a sudden crashed, and this rehabilitated person who is working for me happened to be walking through the department at that time, they would blame him.

I think the time when I would fight for a Kevin Mitnick or other rehabilitated crackers, would be instances where I'd bring Kevin in and have him give a speech to our company about how he does social engineering or other things. We're simply bringing him in, getting his knowledge and education to give presentations, but I would not be able to use him in a consulting role or an actual network administrator type role.

Dave Bixler, Information Security Officer at Siemens Business Services

There is a difference between someone who has been criminally prosecuted and someone who is just reformed. Because of our customer requirements, we have very special circumstances regarding background investigations and those types of things.

I'm all for offering people an opportunity, but typically the HR issues associated with someone convicted of a felony, particularly in a computer-related crime, would make it very difficult for us to hire them, even if I wanted to. Much as you wouldn't hire a bank robber to be a bank guard, our customers are banks so they would tend to frown on us hiring that type of individual just because of the way we're interconnected with their environments. In the business environment, the reality is that we are all connected.

Typically the mindset is "we need to hire this guy because he understands how crackers think." I totally reject that argument. I don't care what the enemy is thinking. My job is not to psychoanalyze the enemy; my job is to stop the enemy from doing bad things. You may ask their opinion on occasion, if you want to get more insight, but you don't say, "You know, you were so good at robbing banks. Now you're reformed. We want you to become a detective." That being said, I'd apply that argument to probably 99 percent of the crackers out there.

The 1 percent—the guys who really understand UNIX, Windows, network security, firewalls—the true crackers, the guys who founded the security companies—those are the only people I'd be interested in talking to. Not because of their "cracker skills," but because of their technical skills.

Editor's Picks

Free Newsletters, In your Inbox