Legitimate companies should consider hiring former black-hat hackers.
Winn Schwartau, president, The Security Awareness Co.
Are all black hackers the same degree of black? Ashley Towns essentially created a harmless ‘Rick Roll' on jailbroken iPhones running SSH that only affected users who neglected to change a default root password. Was his ‘hack' as damaging as Mafia Boy's DDoS attack? I argue no.
I have long advocated that background checks are useless. To determine the proclivity and potential deception of a candidate, the employer should run an industrial psychological profile on all mission critical positions within the company (admins, etc.).
For a former hacker developer, does their code have oversight? Do they have excessive access to resources? Everyone in their past has a few skeletons, and most of us should not have to pay a life-long price for a past transgression.
Black Hat hackers? Evaluate their true criminality, damage and proclivities. Determine the worst case risk from such a hire. Apply common sense, and avoid the blogosphere's lemming-like hysteria.
Paul Ducklin, head of technology, Asia Pacific, Sophos
I'm not so hard-hearted as to say “never.” Criminals can regret and repent and reform. But if you have been a cybercriminal, and are now seeking work even remotely connected with IT, I think it's reasonable that you should find the job search tough.
You'll need hard evidence good enough to convince not just me, but also all my customers, that you can now be trusted around their personal data. Just being a “former hacker” is not enough, and for me to hire you on that basis would be irresponsible of me, to say the least.
Don't bother with the excuse: “Black hats aren't all cybercriminals.” Any sort of unauthorized access is criminal, and you jolly well know it.
And spare me the self-serving “poachers make the best gamekeepers” argument.
Computer companies that blindly buy that myth, like the Aussie outfit that hired a wannabe programmer for his “expertise” in writing the first-ever iPhone virus, don't deserve to be trusted.