San Francisco, Calif.?The RSA Conference this week hosted a panel discussion titled “Foxes in the Henhouse” about the contentious issue of hiring reformed hackers as computer security professionals. The expectant audience didn’t have to wait long for the sparks to start flying among the four panelists. The most heated exchanges came between Kevin Mitnick, the reformed hacker who served five years in prison after a highly publicized computer crime conviction and became an icon in the hacker community, and Ira Winkler, Hewlett Packard’s Chief Security Strategist and a former National Security Agency employee.
Mitnick condemned Winkler as a hypocrite for speaking against using hackers in such posts, saying Winkler himself had hired members of a group called the Ghetto Hackers for an information security group in the past, while Winkler reminded the audience that Mitnick was a convicted felon who’d been arrested five times in the past 20 years and as a hacker was adept at rationalizing his computer crimes.
The other two panelists, Jennifer Granick and Christopher Painter, provided the legal view, as they have been on opposite sides of many computer crime cases, Granick as a defense attorney and Painter as a prosecutor. The motley mix of backgrounds and opinions made for a volatile, yet informative, discussion.
Here are the panel’s notable quips about specific issues raised during the lively hour-long event:
The skills hackers bring to the computer security profession
Mitnick: Hackers who have reformed have something to bring to the table. They’re not doing simulated-type penetration testing. For example, do I want a pilot who has 1,000 hours on a flight simulator or 1,000 hours of real-time flight experience? I think there’s a value proposition there.
Granick: Computer security requires a talent [which hackers have] at being able to understand how something can be made to do something that it’s not supposed to do?how it can be used in an unauthorized or unexpected or novel way. You have to be able to anticipate those types of uses in order to guard against them.
Winkler: The best penetration testers I’ve ever met have been fully cleared people working for the U.S. government… What do hackers offer that legitimate security professionals don’t? They don’t bring any specific way or any unique tool that might be used… If you show me somebody with a criminal record and say ‘here’s his skill set’, I can find you 30 people with the same skill set?if not better?who have no criminal record.
Painter: For a computer security person, you want [him or her] to look at the other people on the system not just as bits and bytes but as individuals who have privacy and other interests. Hackers at one time in their lives weren’t able to make that distinction and put their interests first. If past is prologue, you have to look at that.
Mitnick: The trust has to be evaluated on a case-by-case basis. Once trust is violated, it’s extremely difficult to get back. The trust requires the person that’s hiring to do their due diligence and really look at the risk.
Winkler: There are well-established, legitimate firms that you can hire and you don’t have to worry about what happens when a hacker you’ve hired does something wrong?and you’ve provided him with the tools to do it. How does it look when you bring in someone with a questionable background and give them the keys to the castle? How do you explain to your shareholders that level of risk?
Can hackers really reform?
Mitnick: My position now is any type of unauthorized access is completely wrong, and it’s illegal and unethical.
Painter: One of the things that hackers have demonstrated is not justas defense attorneys like to put itintellectual curiosity, but a disregard for other people’s rights and property and a way to minimize that conduct and say ‘this is not that illegal, this is not that problematic.’
Winkler: Why not use people [with no criminal past] instead of hiring someone with a criminal record and putting yourself and your customers at risk? There’s the issue of recidivism. There’s a high rate of recidivism in just about all crimes.
Granick: It’s incredibly presumptuous to say every person who has a criminal record cannot be rehabilitated, cannot change, is immoral, is untrustworthy and is not worth the risk.
Granick: I’m the only one up here who’s qualified to say what hackers think, because I’ve defended so many of them. Hackers think ‘I will not get caught.’ Period.
Mitnick: I can think of several individuals who’ve started very successful computer companies who were hackers, crossing the line into unauthorized access. A lot of respected people in the industry who’ve started companies that many people use as vendors were actually hacking before. I was actually trading vulnerabilities with a lot of these people.
Winkler: My definition of what he’s saying is ‘you can’t trust anybody, so you might as well trust the crooks.’
So should companies hire them or not?
Mitnick: The truth is in the industry hackers are used. A lot of companies?to save their brand or save their image?don’t like to admit it but that’s what’s really going on. My clients are happy with the skill set I bring despite my criminal background.
Painter: People can be rehabilitated, but it’s a risk factor. Look at other industries. If someone gets convicted of bank fraud or embezzlement, they don’t get rehired in the banking industry. People convicted of insurance fraud don’t get hired in the insurance industry.