Would you employ a hacker or malware writer?

Microsoft has pointed the figure at a Russian antivirus outfit's former technical expert, claiming he was the brains behind the Kelihos spam botnet. Davey Winder is prompted to ponder whether it's ever advisable to hire a former hacker or malware author...

With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.

There is a secondary truth attached to this, which is that they are also likely to be a lot younger than my contemporaries and I were back in the day. When I started hacking I was in my late twenties, not my mid-teens. Which throws the not so small matter of maturity into the hacker employment argument. With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.

You have probably noticed by now that I have exclusively concentrated on the ex-hacker here, not only because it is the example I am best acquainted with but also because it's the more contentious part of the employment debate.

Hackers for hire

George Hotz, aka geohot, the hacker behind jailbreaking the PlayStation 3, was employed by Facebook as a software engineer.

Nicholas Allegra, aka Comex, the man behind the JailbreakMe site for hacking iPhones, was hired by Apple as an intern.

Kevin Mitnick, aka Condor, was jailed for various hacking offences and at one point made the FBI 'most wanted' list as a supposed cyber terrorist but is now a respected IT security consultant.

John Draper, aka Cap'n Crunch, the hacker who invented phone phreaking and served time in the 70's, worked for Apple and helped develop the EasyWriter word processor.

There are many industry sectors where employing someone with proven strengths in the IT security space - albeit from the wrong side of the tracks - could feasibly be contemplated. There are none that I can think of where a former malware writer would be an asset. And that certainly includes the most obvious of all, the security vendors and malware research labs.

Why so? Why the differentiation between malware author and hacker? Simply because a hacker can have plied a trade without malicious intent, whereas, by definition, the malware author cannot. This strains the trust relationship to the point where it has to snap, where it cannot ever be said to be a sensible move, where the risk will always outweigh the potential reward.

Yes, a reformed malware author may be able to bring an understanding of the malware mind-set to the security research table but that mind-set can be taught and security vendors are more than capable of taking on clever coders who can learn and adapt without ever actually venturing into The Dark Side.

IT Pro would like to hear your opinion. Would you hire, or have you hired, a hacker? Let us know at comments@itpro.co.uk.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021