author added Interesting debate : Should You Hire a Hacker?

[Dave Farber <dave () farber net>]

By Deborah Radcliff, SecurityFocus Apr 15 2003 9:19PM

http://www.securityfocus.org/news/3982


Debate: Should You Hire a Hacker?

---------------Debate: Should You Hire a Hacker?
 
Kevin Mitnick squares off with his former prosecutor: can reformed hackers
be trusted to guard the corporate henhouse?
 Should corporations hire known hackers with criminal records to test and
secure their networks?

The question, posed to four panelists at the RSA Security Conference held at
the Moscone Center today, pitted hacker Kevin Mitnick against Christopher
Painter, who prosecuted Mitnick in 1995.

Mitnick argued that hackers, if reformed, make excellent security
consultants because of their nature of pushing technology to the limits and
their skills in penetrating computer systems.

Painter, now the deputy chief of the Computer Crime Section of the
Department of Justice, disagreed. Criminals are criminals, he explained. And
paying known ex-criminals to safeguard a company's intellectual property is
like having the fox guard the henhouse, which was the title of the session.
Ira Winkler, the outspoken chief security strategist for Hewlett-Packard
agreed vociferously with Painter. Winkler last week squashed an internal H-P
proposal to bring Mitnick in as a paid guest speaker.

"If you were a Fortune 500 company and you hired a hacker with a criminal
record to test your systems, what would you tell your shareholders?" he
asked. "Besides, what specialty skills do criminal hackers bring to the
table that security experts without records don't already have?"
Breaking into a computer is easy, Winkler continued. Closing up security
holes is the more difficult task -- a skill most hackers lack, he argued.
Mitnick charged back that Winkler himself had hired known hackers,
particularly from an elite group called the Ghetto Hackers. Winkler
contended that none of the Ghetto Hackers he hired had criminal backgrounds.
But in a June, 2001 Business 2.0 article, some members of the group claim to
have spent their adolescent and teen years stealing free telephone time and
software. 

A lot of kids make mistakes in their youth, Winkler said, but the proof is
in their records as adults. Mitnick was convicted five times, four times as
an adult, according to Painter.

So why would one want to hire someone with Mitnick's background? Because of
his skills, and his ability to raise corporate awareness to how people can
"social engineer" them out of sensitive information, said attorney, Jennifer
Granick, a long-time hacker defender and now a faculty member of the
Stanford Law School. The problem is really with the law, she added, which is
too broad in its definition of computer crime as being "unauthorized
computer use," and therefore making anyone who pushes the limits a potential
criminal. Granick believes that hackers with records should only be trusted
if they've reformed. "The question really is, can someone reform, change,
mature?" she asks. 

Mitnick, who recently launched the security consulting firm Defensive
Thinking, said he's reformed.
"Once trust is violated, it's hard to get that back," Mitnick said. "I say,
look at a person's track record. In the last three years, I think I've
proven that I can be trusted."

Painter was not convinced.

After the session, Painter said that his real concern is that Mitnick showed
"very little remorse" for the damage he caused during a two-year hacking
rampage in the 1990's, that began while he was on probation for a former
hacking conviction.

Winkler agreed, saying that Mitnick may still be trying to pull the wool
over everyone's eyes by calling his exploits "hobbies."

Regardless of whether or not a hacker with a record has reformed, the bottom
line, said Painter, is that paying former criminals big bucks sends the
wrong message to the young, up-and-coming technology workforce. He added,
"That's like saying the best way to a high pay check is to go out and be a
criminal hacker." 


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/