Hiring hackers

Kurt Seifried, [email protected]


 

Note: this article uses the word "hacker" in the current media sponsored way, i.e. people with criminal behavior as opposed to the original benign meaning.

 

There has been a long, ongoing debate about this issue, and recently it has resurfaced in public. Should companies hire hackers convicted of computer crimes? The general theory is that these "hackers" are elite commando style computer security experts that can tighten up your network in a weekend marathon of pizza and pop. Often nothing is further from the truth.

The first concern I would have is: are these people really any good at computer security? Now this may sound like a rather silly question, but it bears asking. The most obvious clue would be that they have been caught and convicted of a computer related crime. If they are such great "hackers" why did they get caught? Kevin Mitnick, a very famous hacker, was caught several times, and spent time in jail. Most hackers possess very little actual skill. They simply follow in the footsteps of others. It is very easy to download precompiled exploit scripts from sites such as rootshell and then use them to break into systems. Even assuming for a moment that this person has any advanced computer security skills related to breaking into networks, this does not mean they have the skills needed to secure networks. It is one thing to find a weakness and exploit it, but it is an entirely different matter to fix it properly.

Securing a network takes a lot more then plugging a few technical holes. Even if I were to walk into your network and fix every single existing problem, it would not make your network secure. Security is a procedure with many steps, assessment, definition of needs, planning, implementation, review, and so forth, which amounts to a never ending cycle. Even if you hire a brilliant hacker that secures you against all known attacks, new problems will crop up. Even if your hacker has these qualities, their ethics are extremely questionable. There is a famous saying among lawyers: "never put a perjurer on the stand", which boils down to "if you know he's lied before, chances are, he might do it again". How can you trust your newly hired hacker not to slip backdoors into the system that they might later exploit. While it is true that any trusted employee might try to do something like this it certainly seems silly to put yourself in a higher risk category.

A company has a fiduciary responsibility to stockholders. They are entrusted with their stockholders' money and are expected to make decisions that will increase it without unnecessary risk. Engaging in high risk behavior means legal liability. For example, would it be reasonable to sue the corporation for not taking proper care and responsibility in hiring someone they know to have offended before? Considering the position of trust most security administrators are placed in (they have administrative access to servers, monitor users' network usage, read incoming and outgoing e-mail and so on) is it really wise to hire these people? A person with administrative access to a server, or physical access to the network can break into systems and leave backdoors with nary a trace. Would you expect a bank to hire criminals convicted of armed robbery to transport money on the grounds they know what to look out for? Would you hire a burglar to install the alarm system for your house?

While it would be nice if all criminals that got caught were rehabilitated, used their skills for good rather than evil, and never offended again, this is not a perfect world. By breaking the law, for whatever reason (curiosity, maliciousness, etc.) they have chosen to violate rules generally accepted in most countries and societies. They have (at a bare minimum) shown poor decision making, and while they may not specifically want to re-offend, they may be tempted by a short term gain and take a chance (as they have in past).

Summary

While it is possible to find a convicted hacker with the skills you want, it is exceedingly rare. Even if they possess the required skills their decision making and morality must be questioned. Even if they are reformed and never commit a crime again, would clients feel comfortable with the person? In general the negatives associated with hiring a convicted hacker far outweigh any benefits.

To quote a recent online article:

"Nolan Waithe Grant was hired Aug. 16 to work at the university computer system's help desk at a salary of $21,626. Three years ago he pleaded guilty to hacking into the school's Unix computer network."

 

Reference links:

http://www.securityfocus.com/templates/article.html?id=79

http://www.courttv.com/people/2000/0830/hacker_ap.html

 


Back

Last updated 4/10/2001

Copyright Kurt Seifried 2001