@Stake jilts Phiber Optik

[William Knowles <wk () C4I ORG>]

http://www.securityfocus.com/news/79

The corporation formerly known as the L0pht courts Mark Abene, balks
at his hacker past.

By Kevin Poulsen
September 1, 2000 5:12 AM PT

When Mark Abene found himself being wooed last month by security
services firm @stake, he didn't expect his hacker past from seven
years earlier to come back to haunt him. After all, just last January
a newly-minted @stake was basking in media limelight after announcing
a merger with the group the company described as the "renowned hacker
think-tank" L0pht Heavy Industries.

So Abene was surprised when the company, which was apparently ignorant
of his history when asking him to join its budding New York office,
abruptly withdrew its offer in the final phases of hiring. As Abene
describes it, the @stake recruiter tiptoed gingerly around the reason
for the company's change of heart, before she finally explained in a
voice dripping with contempt and finality, "We ran a background
check."

Whether @stake's investigation turned up the countless books and
magazine articles written about Abene in the first half of the last
decade, or the 1993 hacking conviction that landed him ten months in
federal stir, the result was the summary rejection of the man once
known as "Phiber Optik" by a company whose vice president of research
and development answers only to "Mudge." Now Abene is crying foul,
charging @stake with hypocrisy in a flap that highlights the
ambiguities and conflicts that arise as hackerdom's Generation X moves
into corporate career slots.

"I see a rift generating," says Abene. "People who have been able to
escape their teenage years unscathed have this elitism. They consider
themselves better than other hackers who were unlucky enough to be
prosecuted for whatever reason, or for whatever mistakes they made."

Unlike Abene, and notwithstanding their underground image, none of the
L0pht's members are known to have committed a computer crime. The
group is generally regarded as a collective of "gray hat" hackers who
publish programs that test network security, like the $100 L0phtCrack
password cracker, and discover and publicize vulnerabilities in
software products. They've claimed that they retain their handles,
Brian Oblivion, Dildog, Kingpin, Mudge, Silicosis, Tan, and Weld Pond,
not because they have anything to hide, nor to capitalize on the
mystique hackers hold with the media, but because it's how they've
always been known in the security community.

(@stake declined comment for this story, except to issue a written
statement saying that the company performs background checks on all
new hires. Mudge did not return phone calls.)

Abene, on the other hand, was renown for his unauthorized romps
through telephone systems and packet-switched networks in the years
before the Internet blossomed. Back then, he had a reputation as a
non-destructive and mediagenic hacker who never concealed his actions;
in the 1992 book "The Hacker Crackdown," author Bruce Sterling wrote
of Abene, "Even cops seemed to recognize that there was something
peculiarly unworldly and uncriminal about this particular
troublemaker." His raid by the U.S. Secret Service was a focus of John
Perry Barlow's "Crime and Puzzlement," the first manifesto of the
electronic civil liberties movement.

In the years since Mark Abene last used his handle, he's worked doing
penetration tests for an accounting firm, and now heads a three-man
computer security consultancy in New York called Crossbar Security,
named for a type of vintage telephone switch. "The majority of the
work that my firm has gotten has been through recommendations from
other people," says the 28-year-old Abene. "We don't do any marketing
or any publicity."

As the head of a small business, Abene says he's doing "fairly well."
But in the world of large security companies with millions in funding,
his conviction may matter more. "It's definitely an interesting
paradox in the industry now," says Space Rogue, who until last June
was an employee of @stake's L0pht component and the editor of the
Hacker News Network. "The mantra has gone from, 'we don't hire
hackers'--because everyone does whether they know it or not--to, 'we
don't hire criminals.' Which means as long as you don't have a
criminal record, you're good."

Indeed, there are few hackers from the eighties and nineties who can't
rattle off a list of peers from the computer underground now working
for top-name security firms. But confirming them without the paper
trail of a criminal conviction is tricky--perhaps mercifully so for
companies who need the talent. "That seems to be the one saving
grace," says security consultant Chris Goggans, who freely admits to
his own hacker past. "A lot of companies can hire these people and
look the other way because they were never arrested."

As "Erik Bloodaxe," Goggans was a member of the 80's hacker gang the
Legion of Doom, and an Abene rival. But he was never prosecuted for a
computer crime. "I look back and think, I was really, really lucky."
Now, as director of operations at Virginia-based Security Design
International, he says he'd have to turn away an applicant who'd been
convicted of hacking. "For the kind of work that we do, if they had a
past history of being convicted for any felony, I wouldn't hire them,"
says Goggans. "It affects a companies' errors-and-omissions insurance,
whether they can be bonded, whether the applicant will be able to hold
[defense] clearances."

Even 20-year-old security wunderkind Marc Maiffret, "chief hacking
officer" and cofounder of eEye, a California security software firm
that recently raised a $5 million in venture capital, says he'd
hesitate before hiring an ex-cyber-con. "If somebody does have
something on their record, they need to be that much better," says
Maiffret. "They need to be twice as good."

Maiffret admits to a past that includes cracking Pentagon computers,
but says he'd hire himself, because he is that good, and he's grow
older and wiser since then. "That's stuff that happened, like, three
years ago now."

The reporter is a convicted hacker.

Tips, feedback, flames? Email news () securityfocus com


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".