Hiring Hackers: Would You Ever Trust Your Network Security To An Ex-Thief?
As the saying goes, if you can't beat them join them. But in the case of ex-hackers who abandon their criminal lives to pursue careers in corporate security, these security wizards often have already beaten the system and are now choosing to exploit it further by profiting from the expertise they gained at the expense of the organizations they once menaced.
July 18, 2006
As the saying goes, if you can't beat them join them. But in the case of ex-hackers who abandon their criminal lives to pursue careers in corporate security, these security wizards often have already beaten the system and are now choosing to exploit it further by profiting from the expertise they gained at the expense of the organizations they once menaced.This is of course just one perspective on hiring a reformed hacker to provide consulting and other security services. The opposing view follows the logic that who would know better how to defend the enterprise than someone who made it formerly made it their life's work to hack into the network?
This issue came up again during the trial of Roger Duronio, the former UBS PaineWebber system administrator accused of setting off a logic bomb that crippled his ex-employer's servers, when Duronio's defense team pointed out that the forensic investigation that led to Duronio was conducted by a former hacker who now works as a security consultant. The defense team said the security consultant wasn't a trustworthy resource and thus incapable of conducting a credible investigation.
So would you trust an ex-hacker with your network security? In general, I think hiring a former hacker for an enterprise security role isn't a good idea, expert as he or she may be, if for no other reason than it would be difficult to trust them in their position. Also, I don't think criminals should be rewarded for their behavior. This said, however, I do think people can reform and there may be cases where a former hacker is really the best fit for a position. However, I can't see the case where I would ever knowingly give a hacker that kind of access to my network.
AddendumAfter deliberating for 20 hours, the jury found Roger Duronio guilty of computer sabotage and securities fraud. The prosecution will seek the maximum sentence, a seven year prison term, for Duronio.
About the Author
You May Also Like