The minefield of hiring a hacker.
If
you haven't heard lately Sven Jaschen, the author of many variants of
the Netsky and Sasser worms was hired by the German security company
Securepoint to be a developer on their security software, including
things like their corporate firewall suite.
In recent worms, hackers have been so bold as to include text asking
for jobs. Recently I received a resume from a 'reformed' hacker who
visits my blog regularly. Let me give you my take on the issue, and
once and for all explain why I think it is a BAD idea to hire hackers.
First off, lets get the definition out of the way. In this context
being a 'hacker' is not the good connotation where you get around
complex problems with interesting code. I, for example, am a hacker
(good connotation). What I am not…. is a CRIMINAL (bad connotation).
What's the difference? At the point where you breach someone else's resources without their permission, in my mind
you are a criminal. When you leave the perimeter and enter into someone
else's realm, which includes the network infrastructure (ie: Your ISPs
Internet connection.. remember its theirs.. NOT yours) and you do
something unethical and get caught, in my mind you are a criminal.
And in my views, criminals have no business being in the professional field of information security.
Yes, that is an EXTREMELY harsh statement. And its meant to be. But
its comes from experience. It comes from reality. And it comes to
protection of the profession.
There are many hackers that I know and respect that are amazing
coders. They have talents in looking at and deconstructing code in such
a different way I could only lust after their expertise. But when you
hire a 'hacker', you don't just get his or her amazing talents. You
also get their ethics. And ethics are NOT something you can simply turn
on and off at whim.
Now, before you go off all half cocked and start spewing forth
comments about how Kevin Mitnick is a perfect example of a reformed
hacker gone good, let me spare you the trouble. I like Kevin; I have
only met him once, and he seemed like a nice guy. I think the
educational ambassadorial work on social engineering that he has done
since his release from prison has been noble. But I still wouldn't hire
him. His curiosity got the best of him, and he got caught. And even
though he has served his time and is now considered reformed, the real
point is that he served his time for CRIME. What he did was criminal.
Clear and of fact. And he admits it. And wishes to move on. And I
applaud him for that. He just won't be getting hired by me any time
soon.
You see, I subscribe to a code of ethics
which does not permit me the luxury of blindly trusting that someone
else's own ethics will be changed… and I must make decisions from
previous experiences. I avoid professional association with those whose
practices or reputation might diminish the profession. I might drink
beer with them. Debate with them in the wee hours of the morning in
hotel rooms at conferences. Listen to them to learn from their
experiences and take constructive criticism on things I may not know,
or do incorrectly. I will even work with them as part of security
incidents. But I will NOT hire them onto my team. There are amazing
people out there that DO have a higher code of ethics, so I don't need
or want to waste my time HOPING they have reformed. I have to trust the
people on my team implicitly. I will not take that risk on behalf of my
team, or my clients. So don't even bother asking. You will not be
considered. [Dana Epp's ramblings at the Sanctuary]