Gallery

Mac hacks, BBC attacks and backing hackers

Posted on 18 Jun 2009 at 11:20

Davey Winder exposes the 100% secure mac myth, questions the BBC's botnet morality, and considers hiring hackers.

Hiring hackers

Another botnet story that caught my attention recently also involves ethics in the IT security business - the old chestnut about whether or not you should employ convicted hackers. Now let me get this straight: some of the best security consultants I know have had a somewhat "colourful past" - including perpetrating hacking exploits - and in my opinion, such experience actually qualifies them rather than disqualifies them from this job. There are some people, however, who vehemently disagree with me and argue (with some merit) that good hacking skills and good IT security skills aren't in fact entirely the same, insisting that to break into a network and to protect a network require two completely different sets of technical qualifications. I was even at a security conference some years back when a highly placed director of security at one of the big IT companies suggested that a monkey could be trained to hack most networks in just a few hours. That, I think, misses the point.

IT security is more often than not a matter of mindset, and while it can be learned from a book and can be taught, even so a poacher-turned-gamekeeper will always have an edge over a book-taught one. They understand how the hacker's mind works, how the hackers think, and that's something that's a lot harder to grasp from theory than it is from battlefield practice. I will agree that most ex-hackers nowadays tend not to be the most skilled members of their profession, by the very fact that they were caught, which suggests they weren't entirely in control of the game. Back in the day of 20 years or so ago - when hacking truly did require a high level of technical know-how - things were different, but today most ex-hackers are actually self-proclaimed and really nothing more than kiddie-script-monkeys who use ready-made solutions.

Most of the hackers I know who made the move from the dark side to the light did so with the passage of time and without ever being caught, which is why I was somewhat concerned when I read that a botnet builder, duly convicted of spreading malware to a quarter of a million computers and starting his four-year prison term, will have a job waiting for him when he gets out as a security consultant for a big search company. His boss didn't know that this botnet builder had already pleaded guilty to his crimes as part of the FBI Operation Bot Roast in 2007 and was awaiting sentencing when he applied for the job, and admits that he wouldn't have hired him had he known this - but he also says that the perp is a talented developer who just pushed the envelope too far when young, and has gone on the record to say he hopes to offer him a job when released. Feel free to voice your opinion on this case in the PC Pro forums (www.pcpro.co.uk/forum/), as I'd be very interested to see which way you swing on this rather tricky moral issue.