January 01, 2010
Update

Debate

Legitimate companies should consider hiring former black-hat hackers.

FOR

Winn Schwartau, president, The Security Awareness Co.

Are all black hackers the same degree of black? Ashley Towns essentially created a harmless ‘Rick Roll' on jailbroken iPhones running SSH that only affected users who neglected to change a default root password. Was his ‘hack' as damaging as Mafia Boy's DDoS attack? I argue no.

I have long advocated that background checks are useless. To determine the proclivity and potential deception of a candidate, the employer should run an industrial psychological profile on all mission critical positions within the company (admins, etc.).

For a former hacker developer, does their code have oversight? Do they have excessive access to resources? Everyone in their past has a few skeletons, and most of us should not have to pay a life-long price for a past transgression.

Black Hat hackers? Evaluate their true criminality, damage and proclivities. Determine the worst case risk from such a hire. Apply common sense, and avoid the blogosphere's lemming-like hysteria.

AGAINST

Paul Ducklin, head of technology, Asia Pacific, Sophos

I'm not so hard-hearted as to say “never.” Criminals can regret and repent and reform. But if you have been a cybercriminal, and are now seeking work even remotely connected with IT, I think it's reasonable that you should find the job search tough.

You'll need hard evidence good enough to convince not just me, but also all my customers, that you can now be trusted around their personal data. Just being a “former hacker” is not enough, and for me to hire you on that basis would be irresponsible of me, to say the least.

Don't bother with the excuse: “Black hats aren't all cybercriminals.” Any sort of unauthorized access is criminal, and you jolly well know it.

And spare me the self-serving “poachers make the best gamekeepers” argument.

Computer companies that blindly buy that myth, like the Aussie outfit that hired a wannabe programmer for his “expertise” in writing the first-ever iPhone virus, don't deserve to be trusted.


From the January 2010 Issue of SCMagazine »
Similar Articles
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Spotting the "black swans" of security

Spotting the "black swans" of security

How can it be that firms can feel confident in their security technology investments and their people, yet ultimately still believe that they remain at great risk?

Me and my job: Blake Frantz, Center for Internet Security

Me and my job: Blake Frantz, Center for ...

A brief Q&A with Blake Frantz, director of benchmark development, security benchmarks division, Center for Internet Security (CIS).

BlackBerry back in the game

BlackBerry back in the game

Thanks to BYOD, gone are the days of one single mobile device manufacturer or model to support, says Dimension Data Americas' Darryl Wilson.