Would you employ a hacker or malware writer?

Page 3 of 3:

Page 3

With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.

There is a secondary truth attached to this, which is that they are also likely to be a lot younger than my contemporaries and I were back in the day. When I started hacking I was in my late twenties, not my mid-teens. Which throws the not so small matter of maturity into the hacker employment argument. With maturity comes the ability to resist the kind of vengeful attack that employers worry might be unleashed when the ex-hacker becomes an ex-employee.

You have probably noticed by now that I have exclusively concentrated on the ex-hacker here, not only because it is the example I am best acquainted with but also because it's the more contentious part of the employment debate.

Hackers for hire

George Hotz, aka geohot, the hacker behind jailbreaking the PlayStation 3, was employed by Facebook as a software engineer.

Nicholas Allegra, aka Comex, the man behind the JailbreakMe site for hacking iPhones, was hired by Apple as an intern.

Kevin Mitnick, aka Condor, was jailed for various hacking offences and at one point made the FBI 'most wanted' list as a supposed cyber terrorist but is now a respected IT security consultant.

John Draper, aka Cap'n Crunch, the hacker who invented phone phreaking and served time in the 70's, worked for Apple and helped develop the EasyWriter word processor.

There are many industry sectors where employing someone with proven strengths in the IT security space - albeit from the wrong side of the tracks - could feasibly be contemplated. There are none that I can think of where a former malware writer would be an asset. And that certainly includes the most obvious of all, the security vendors and malware research labs.

Why so? Why the differentiation between malware author and hacker? Simply because a hacker can have plied a trade without malicious intent, whereas, by definition, the malware author cannot. This strains the trust relationship to the point where it has to snap, where it cannot ever be said to be a sensible move, where the risk will always outweigh the potential reward.

Yes, a reformed malware author may be able to bring an understanding of the malware mind-set to the security research table but that mind-set can be taught and security vendors are more than capable of taking on clever coders who can learn and adapt without ever actually venturing into The Dark Side.

IT Pro would like to hear your opinion. Would you hire, or have you hired, a hacker? Let us know at comments@itpro.co.uk.

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.