April 16, 2003 12:32 PM PDT
Commit a crime, no network time?
A panel discussion on the role of hackers in security tried to answer that question, but the debate on Wednesday turned into a verbal boxing match, reflecting the deep divide between those who believe that convicted cybercriminals shouldn't have a role in security and those who believe that they should.
"How do you explain to your shareholders that you are going to hire someone (to guard your networks) who has been jailed, not once, but multiple times," argued Ira Winkler, chief security strategist for Hewlett-Packard, who contends that hackers bring no special security knowledge and are an unacceptable risk to any company that hires them.
The question was aimed directly at former hacker Kevin Mitnick, who has multiple convictions for computer crimes and who also spoke on the panel at the RSA Security conference here. Mitnick contended that hackers should be hired, but only after close evaluation.
"I think that it depends on the person--what value they bring," he said. "Trust has to be evaluated on a case-by-case basis."
The argument mirrors the security industry's angst about its past. While some security experts learned their craft in the government sector or through school, many of today's consultants and researchers were yesterday's hackers. In many cases, the person may not have done anything illegal, but in other instances, it was a matter of not having been caught, Mitnick said.
"Many people in this industry who are well-respected used to hack--I traded vulnerabilities with some of them," said Mitnick, now a security consultant. Companies still try to hide that fact today, he said. "You have to question people who stand on a high ladder and say that they don't hire hackers, when in reality they do."
Mitnick, arrested in February 1995 for computer crimes, spent nearly five years in prison and another three years under restrictions that limited his use of technology. Now he gives talks on security, has written a book and has started his own security company, Defensive Thinking.
Hacking their image
An underground school tries
to reprogram a reputation.
Many security experts don't believe that hackers have much to offer. The International Information Systems Security Certification Consortium, the group that administers the well-known Certified Information Systems Security Professional credential, doesn't allow its members fraternize with hackers, for example.
Winkler seems to agree. The security expert expressed doubt that anyone who had been convicted of illegal hacking could reform to the point that they could be put in a position of absolute trust, such as in the role of a system administrator.
"The reason that (hackers commit crimes) is because they have already rationalized (criminal acts)," Winkler said. "I heard (Mitnick) call phone 'phreaking' a hobby. It's not a hobby, it's a felony."
Trust versus skills
Christopher Painter, deputy chief for the Computer Crimes and Intellectual Property section at the U.S. Department of Justice and another member of the panel, agreed that hackers convicted of cybercrimes haven't shown responsible behavior and thus should be suspect.
"What hackers have shown is a disrespect for others' rights and property," he said. "What does that mean, especially if I am going to give them the keys to the kingdom?"
Painter, who prosecuted Mitnick's case, stressed that hiring hackers adds a risk to the security equation that companies may not want to take.
Yet hackers, who have learned by doing, frequently have skills and knowledge that others don't have, said Jennifer Granick, the clinical director for Stanford University's Center for Internet and Society and an attorney who has represented those convicted of cybercrimes.
Granick argued that some activities in security require a person to have a hacker's mind set. "There is something about computer security that requires you to think about how to circumvent protections," she said. "You have to anticipate those uses to protect against them."
She stressed that hiring people who have committed a cybercrime is not rewarding the crime. "Hackers think just like other people think when they commit crimes, which is, 'I will not get caught,'" she said.
The thin gray line
New laws make hacking
a black-and-white choice
"I hire people based on r?sum?s, not on criminal records," he said.
While many people admit to being an old-school hacker--that is, someone who simply likes to play around with technology--hackers are now generally thought of as those who break into systems.
Mitnick said that even criminal hackers can change their ways and want to help foster security, not hurt it, in the same way that many drug addicts recover and go on to counsel others.
But the Justice Department's Painter said that Mitnick's analogy missed the mark. "It's asking the drug addict, not to be the counselor, but the pharmacist," he said.