San Francisco, Calif.The RSA Conference this week hosted a panel discussion titled "Foxes in the Henhouse" about the contentious issue of hiring reformed hackers as computer security professionals. The expectant audience didn't have to wait long for the sparks to start flying among the four panelists. The most heated exchanges came between Kevin Mitnick, the reformed hacker who served five years in prison after a highly publicized computer crime conviction and became an icon in the hacker community, and Ira Winkler, Hewlett Packard's Chief Security Strategist and a former National Security Agency employee.
Mitnick condemned Winkler as a hypocrite for speaking against using hackers in such posts, saying Winkler himself had hired members of a group called the Ghetto Hackers for an information security group in the past, while Winkler reminded the audience that Mitnick was a convicted felon who'd been arrested five times in the past 20 years and as a hacker was adept at rationalizing his computer crimes.
The other two panelists, Jennifer Granick and Christopher Painter, provided the legal view, as they have been on opposite sides of many computer crime cases, Granick as a defense attorney and Painter as a prosecutor. The motley mix of backgrounds and opinions made for a volatile, yet informative, discussion.
Here are the panel's notable quips about specific issues raised during the lively hour-long event:
The skills hackers bring to the computer security profession
Mitnick: Hackers who have reformed have something to bring to the table. They're not doing simulated-type penetration testing. For example, do I want a pilot who has 1,000 hours on a flight simulator or 1,000 hours of real-time flight experience? I think there's a value proposition there.
Granick: Computer security requires a talent [which hackers have] at being able to understand how something can be made to do something that it's not supposed to dohow it can be used in an unauthorized or unexpected or novel way. You have to be able to anticipate those types of uses in order to guard against them.
Winkler: The best penetration testers I've ever met have been fully cleared people working for the U.S. government... What do hackers offer that legitimate security professionals don't? They don't bring any specific way or any unique tool that might be used... If you show me somebody with a criminal record and say 'here's his skill set', I can find you 30 people with the same skill setif not betterwho have no criminal record.
The risks companies considering a hacker for a computer security position face
| How does it look when you bring in someone with a questionable background and give them the keys to the castle? |
: For a computer security person, you want [him or her] to look at the other people on the system not just as bits and bytes but as individuals who have privacy and other interests. Hackers at one time in their lives weren't able to make that distinction and put their interests first. If past is prologue, you have to look at that.
Mitnick: The trust has to be evaluated on a case-by-case basis. Once trust is violated, it's extremely difficult to get back. The trust requires the person that's hiring to do their due diligence and really look at the risk.
Winkler: There are well-established, legitimate firms that you can hire and you don't have to worry about what happens when a hacker you've hired does something wrongand you've provided him with the tools to do it. How does it look when you bring in someone with a questionable background and give them the keys to the castle? How do you explain to your shareholders that level of risk?