To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39124278,00.htm

Leader: Hackers should be hired - sometimes
Because the bad guys can sometimes become the good guys

By silicon.com

Published: Thursday 23 September 2004

The hiring of accused Sasser virus writer Sven Jaschan by a German IT security vendor has once again reopened the debate about whether convicted or known hackers and virus writers can ever be trusted to work in legitimate IT jobs.

The question split silicon.com's CIO Jury this week with one CIO saying you should "never be too proud to learn" while another likened hiring a hacker to getting serial-killer doctor Harold Shipman to check out your sick mother if he had served his time and been released.

However, the IT security vendors have presented a united front saying hackers can't be ever be trusted to turn gamekeeper. That stance is somewhat understandable. The IT vendors have to be seen to be whiter than white and a breach resulting from hiring a computer criminal would ruin trust in their products and potentially bring down their whole business.

While many of these criminals are just bored script kiddies with basic coding knowledge, some are undoubtedly extremely talented. Surely it is a waste of that talent to let a teenage prank deprive the IT world of those skills being put to good use later in an individual's life.

There are examples of reformed hackers, one of the most famous being convicted cybercriminal Kevin Poulsen who worked a regular day job and then hacked by night under the handle 'Dark Dante'. He famously hacked an LA radio station's phone lines to ensure he would be the 102nd caller and win a car. The FBI finally tracked him down and he was sentenced to 51 months in jail.

Poulsen is now the respected editor of an online IT security news website, SecurityFocus, and an expert commentator on security developments and trends.

Here in the UK there is Robert Schifreen, the man who hacked BT's Prestel network and accessed an account belonging to Prince Phillip in 1985. He was eventually acquitted after an appeal to the House of Lords but the incident brought about a change in the law, with the introduction of the Computer Misuse Act making it illegal to hack computers.

Since then Schifreen has spent many years as an IT journalist and speaking at conferences - he was last seen putting his skills to good use working for the IT department at the University of Brighton.

Clearly this is one issue where there isn't a definitive right or wrong answer. For some companies the risk to the business of hiring an 'ex-hacker' (and let's forget this stupid hacker versus cracker debate - if you break into computer systems you're a hacker, end of story) is simply too great. For others it may be worth taking the risk to get access to a special IT talent.

The subject also raises moral issues about the duty of society to rehabilitate convicted criminals who have served their time and shown remorse or regret for their actions. Clearly serial computer crime offenders are unlikely to be wanted in any corporate IT department or IT company but what about someone who made a mistake just once?

Essentially it comes down to a judgement call on each case by the person doing the hiring - and a great deal of trust. Either way, this is a debate that's not likely to end anytime soon.

Would you hire a hacker? Tell us your thoughts in Reader Comments below.