There have been endless debates over whether or not to hire hackers.
The arguments have ranged from "It's OK as long as they're not convicted criminals," to "They're the ones we need to protect ourselves from, so let's learn from them," and "Never, never, never!" Well, if we are to believe companies such as WorldCom, the question has been answered, the debate settled.
In a copyright story on ZDNet last December, Robert Lemos tells the story of the 'curious hacker' who attacked WorldCom and earned their appreciation and encouragement. What, in Heaven's name, are these people thinking? This 'Curious Hacker,' described by Lemos as a "sometimes consultant and security researcher," poked around in the WorldCom network over a two-month period before he decided that it would be a good idea to tell WorldCom what he was doing.
In addition to WorldCom, the Curious Hacker has broken into Microsoft, Excite@Home and Yahoo. I've been doing intrusion investigations and intrusion testing for many years. Call me uninformed, but I always thought that penetrating a private system without permission was a violation of a fistful of laws, both federal and local. I guess I've been wasting my time and my clients' time getting appropriate contracts signed. If this is the 'new order' of things, I can just turn on my tools and let 'er rip. Perhaps my targets, like WorldCom, will be (quoting a WorldCom spokesperson) "definitely appreciative." However, somehow I doubt that.
Folks, this is a very bad thing for a lot of reasons. First, by encouraging this activity WorldCom has issued an open invitation to the computer underground that says, "Hack me - just be sure that some day you tell me what you did."
Billion Dollar Bill recently announced that Microsoft is now going to put security ahead of everything in its products. No more buggy IIS. No siree... MS stuff is going to be TIGHT! Good thing, too. MS is a prime target for hackers, and Microsoft products comprise an entire hacking specialty in themselves. I wonder if MS is "definitely appreciative" of the Curious Hacker's activities on their network.
And how about Excite@Home? Now there's a company that has had more than its share of woes. I'll bet they are not "definitely appreciative" of the Curious Hacker.
Enough, already! WorldCom has done the entire Internet business community a grave disservice: first, by not prosecuting this turkey to the absolute limits of the law and then not whacking him with a whopping lawsuit, and second, by telling the news media (and, thus the whole world) just how cool they think this idiot is.
And who is right there fighting on the side of the Curious Hacker? The director of research and development for a major security consulting company that proudly hires black-hats. His take on this is that "... poking around the Internet in the way [the Curious Hacker] does aids companies' security and shouldn't be considered illegal." I don't know about you, but that's not a company I am keen to hire. (To be fair, the company I work for actually competes with this particular consultant, which is why their name is not mentioned here.)
Our profession is built on integrity perhaps more than skill. It has long been an axiom of mine that you can buy technology anywhere for a price. Integrity is a far more precious commodity. We need to step back and have an introspective look at where we are going when we take WorldCom's public approach.
Peter Stephenson, CPE, PCE, is director of technology services at QinetiQ Trusted Information Management, Inc. (www.imfgroup.com). He is a regular contributor to SC Magazine's North America edition, with the monthly "On the Highway" column.