Would you employ a hacker or malware writer?
Microsoft has pointed the figure at a Russian antivirus outfit's former technical expert, claiming he was the brains behind the Kelihos spam botnet. Davey Winder is prompted to ponder whether it's ever advisable to hire a former hacker or malware author...
With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.
There is a secondary truth attached to this, which is that they are also likely to be a lot younger than my contemporaries and I were back in the day. When I started hacking I was in my late twenties, not my mid-teens. Which throws the not so small matter of maturity into the hacker employment argument. With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.
You have probably noticed by now that I have exclusively concentrated on the ex-hacker here, not only because it is the example I am best acquainted with but also because it's the more contentious part of the employment debate.
Hackers for hire
George Hotz, aka geohot, the hacker behind jailbreaking the PlayStation 3, was employed by Facebook as a software engineer.
Nicholas Allegra, aka Comex, the man behind the JailbreakMe site for hacking iPhones, was hired by Apple as an intern.
Kevin Mitnick, aka Condor, was jailed for various hacking offences and at one point made the FBI 'most wanted' list as a supposed cyber terrorist but is now a respected IT security consultant.
John Draper, aka Cap'n Crunch, the hacker who invented phone phreaking and served time in the 70's, worked for Apple and helped develop the EasyWriter word processor.
There are many industry sectors where employing someone with proven strengths in the IT security space - albeit from the wrong side of the tracks - could feasibly be contemplated. There are none that I can think of where a former malware writer would be an asset. And that certainly includes the most obvious of all, the security vendors and malware research labs.
Why so? Why the differentiation between malware author and hacker? Simply because a hacker can have plied a trade without malicious intent, whereas, by definition, the malware author cannot. This strains the trust relationship to the point where it has to snap, where it cannot ever be said to be a sensible move, where the risk will always outweigh the potential reward.
Yes, a reformed malware author may be able to bring an understanding of the malware mind-set to the security research table but that mind-set can be taught and security vendors are more than capable of taking on clever coders who can learn and adapt without ever actually venturing into The Dark Side.
IT Pro would like to hear your opinion. Would you hire, or have you hired, a hacker? Let us know at firstname.lastname@example.org.
In This Article
Application security fallacies and realities
Web application attacks are the most common vulnerability, so what is the truth about application security?Download now
Your first step researching Managed File Transfer
Advice and expertise on researching the right MFT solution for your businessDownload now
The KPIs you should be measuring
How MSPs can measure performance and evaluate their relationships with clientsDownload now
Life in the digital workspace
A guide to technology and the changing concept of workspaceDownload now