Hiring Hackers – as speakers (part 1)
By the time you read this, CIO magazine will probably have already done its “In Cloud We Trust” Webcast.
The ISSA, ready to provide links to any security related activities, inadvisedly advertised the Webcast. I say inadvisedly, because the Webcast, or at least the promotional material, features Kevin Mitnick. This juxtaposition created a bit of a furor over the fact that a prestigious security institution was promoting a former computer criminal. (It is entirely possible that Kevin Mitnick rather enjoyed the discomfiture of ISSA, since ISSA had the affrontery, in 2003, to turn down Kevin Mitnick’s application for membership.)
All of which sparked yet another debate, in at least one venue, over the advisability of hiring or attending to (for the purposes of security), those formerly convicted of computer crimes.
Feelings are strong, and tempers rather short, when this topic comes up for discussion. Passions are surprisingly high on both sides of the debate. However, I would like to attempt to present some opinions on the matter.
(I’m not going to speak about the Webcast itself. As chance would have it, I’ll have to be getting on a bus at about that time in order to go downtown. To speak to an ISSA meeting.)
Those who feel that hackers can and should be hired suggest that those best qualified to protect systems are those who have broken into them. We, in defence of our systems, should not let foolish moral quibbles stand in the way of gaining the best information and advantage that we can.
I am on the side that opposes the use of former criminals. I do not disagree with the risk management analysis of those on the pro side, but I feel that it is based on faulty assumptions. My objections to the hiring of hackers are practical as well as moral, and, in terms of ethical analysis, lies in the area of practical morality.
In order to address the practical issues, I have to clarify, and separate, the different types of help we think we are going to get from cybercriminals. Do we employ them for security management and administration? Do we hire them for penetration testing? Do we use them as security consultants? Or do we just listen to them in seminars, webcasts, and conferences?
This last is the most difficult to oppose. What is the harm in listening? Should we not take every opportunity to learn all that we can about security? Why block ourselves off from an important source of information?
So, I’ll address this first.
What is the harm in listening? Well, we aren’t just listening, are we? First off, most “reformed hackers” aren’t exactly doing this out of the goodness of their hearts. Those who are on the lecture circuit generally make pretty good money out of it. A lot of them make more than most legitimate security researchers, analysts, and consultants. Then there are the spin-off benefits in books, workshops, and just plain advertising for John Q. Hacker’s Security Consulting.
Money isn’t the only benefit, though. I’ve always been interested in the social side of technology, and for more than twenty years I’ve been studying those on the dark side. Most of these people are charter members of Egos-backwardsR-Us. Not all of them, but certainly enough to make it pretty much a defining characteristic. Given a choice between money and a chance to grab the limelight, they might have to stop and think about it.
Regardless of whether we are paying cash or just stroking egos, one thing we are definitely doing is tacitly promoting the importance of what they have done. We are saying that it is better, in the sense of obtaining security information, to break into systems than to study in other ways.
And I’ll address that later.