Can there ever be such a person as an ex-hacker?, asks Mark Hanvey
Messages inscribed onto circuit-board designs and hidden inside software code have amused those skilled enough to uncover them for years. The hacker community, taking its cues from the graffiti movement, uses such messages to tag their work and build notoriety. A more recent development has been the use of these messages to open a dialogue with the information security field, and even to ask for work.
There have been many recent examples of credentials being hidden within viruses or worms in an attempt to gain employment. While most messages go unanswered, not all pleas fall on deaf ears. A number of firms have begun to employ ex-hackers and virus writers as "security consultants".
The poacher-turned-gamekeeper analogy has often been used to justify employing reformed criminals, claiming that the benefits of insight into the criminal mind more than outweigh the risk of betrayal. Lending further weight to this argument are figures from the Chartered Institute of Personnel and Development showing that only 6% of firms employing ex-criminals reported any subsequent problems as a result of their past record.
Arguing against a happy rehabilitation for hackers is the fact that information security is a profession and hackers are the antithesis of everything it stands for.
There is a vast difference between turning a sympathetic eye to a one-off crime unrelated to the role to hand - such as collecting an occasional speeding ticket - and accepting behaviour that consistently seeks to challenge and undermine you and your colleagues.
Employing ex-hackers creates a dangerous precedent. The fact remains that the activities these people were involved in may have caused immense damage. The Sasser worm alone is estimated to have infected a million computers worldwide, and snarled systems from trains in Australia to post offices in Taiwan. The cost of dealing with hacking attacks over the past year in the UK alone was estimated at £195m by the National Hi-tech Crime Unit in April 2005.
The security industry should close ranks and publicly refuse to employ ex-hackers whose past record remains incompatible with legitimate employment requirements. While not failing to recognise that individuals can genuinely reform, using their past illegal exploits as evidence of their abilities is simply not acceptable.
While many people might perceive such a stance as unfairly harsh, any other position risks incentivising further criminal activity.
Battle of wits
Many in this industry enjoy glamorising the battle of wits between the so-called "white hat" and "black hat" hackers. Allusions to the Wild West and military history are common. Sadly, however, this is no longer a game of gentleman amateurs, and organised criminal gangs are stepping into the breaches opened by hobbyist hackers.
There is no question that an appreciation of the methods hackers employ is important, and that we must be able to pit our wits against the best the hacking community can put forward. However, rather than relying on the knowledge of ex-hackers, the security industry must do more to disseminate skills within its own profession.
One approach is to send staff on ethical hacking and countermeasures courses, to expand their skills and help spot system flaws and weaknesses. Identifying how vulnerabilities can be exploited, and testing existing security procedures, is invaluable to building an understanding of the wider challenges and techniques that the hacking community exploits.
The security industry now has some of the highest professional credentials and information security specialists would do well to value their own expertise and only hire people of the utmost integrity.
Mark Hanvey is chief security officer at Cable & Wireless
This was first published in October 2005