Home > All, Security Issues > Panda’s Urban Myths: should the security industry employ ex-hackers?

Panda’s Urban Myths: should the security industry employ ex-hackers?

November 6, 2010 Leave a comment Go to comments

Panda Security asked its user community which urban myths come to mind when they think about the anti-virus industry, and then set about ‘deconstructing the top five’. The pedant in me, of course, immediately objected: this process assumes from the outset that these ‘accusations’ are myths; it cannot be an objective analysis.

Anyway, the five ‘myths’ are

  1. Antivirus security companies make the viruses
  2. Security companies hire hackers
  3. There are no viruses for Mac, Linux or cell phone platforms
  4. It requires considerable knowledge to be a hacker, develop viruses, infiltrate systems…
  5. Women don’t work in security companies

It is the second one that most caught my eye: security companies hire hackers. “Of course we can’t speak on behalf of the entire industry, but at Panda Security this issue has been a concern for us and we have never knowingly contracted ‘black hat’ hackers. We have however hired – and we are always looking out for – ‘white hat’ (basically, the good guys) hackers.”

I don’t doubt Panda for one second; but what is the difference between a white hat and a black hat? Is it motive? Well, one man’s freedom fighter is another man’s terrorist; so how can you decide?

Consider the Aspergers Syndrome (AS) connection. Mitnick once said “After my arrest, I met this hacker from the UK who told me he was diagnosed with this Asperger syndrome: people who are not good in social relationships, but they are very good with numbers, very good at focusing on a problem for a very long period of time. As he described it, I realized, ‘Wow, that sounds like me.’ The more I thought about it, it seemed to describe people I know who are into hacking.”

Today, of course, Gary McKinnon is a diagnosed AS sufferer.

A 2001 USA Today article said of Aspergers sufferers: “But this occasionally causes them to act out against what they see as injustice and take credit for their deeds, similar to hackers who defend their attempts to infiltrate networks as efforts to identify shoddy security, rather than to profit by stealing data, experts say.”

And AS is sometimes characterised by ‘right motive, wrong action’. So, is evidence of AS the difference between a white hat and a black hat?

There are other issues. The history of infosec is riddled with hackers moving on to found the early security companies. And in recent times there are some celebrated cases of hackers being employed by the industry. Two examples:

Mikeyy Mooney, the 17-year old hacker who caused mayhem on Twitter with a series of worms on the micro-blogging website last weekend, has been rewarded with a job in web applications development according to media reports.

Frankly, the news that exqSoft Solutions has approached and hired Mikeyy Mooney, the teenager behind the StalkDaily and Mikeyy worm attacks, has really got my goat.
Firm hires Twitter worm author Mikeyy Mooney, by Graham Cluley on April 17, 2009


Now Towns has resurfaced, only this time he hasn’t infected unlocked iPhones with another 80s pop star. Apparently, someone took notice of Towns’ “skills” and has offered the hacker a job. He made the announcement via his Twitter page, saying that he is now working as… hang on for this one… an iPhone application developer!
Tom’s Guide:  Nov 30 2009

But you have to wonder whether these hires are seeking programming skills, or just cynical attempts at gaining publicity: in other words, the companies concerned are employing ‘celebrities’ rather than hackers.

The reality is that some security companies do and always have employed ‘ex-hackers’. And I really don’t know whether this is ultimately a good thing or a bad thing. I have to take the craven politicians’ route: “We should examine each case on its own merits.”

Panda Security
More on Panda’s urban myths

I have been pointed towards a fascinating article by Lucian Constantin on Softpedia: Italian Authorities Want to Hire a Romanian Hacker Genius

This raises some difficult questions. The hacker-genius wasn’t hacking for the fun or kudos or to expose social wrongs: he is a convicted criminal identity thief. But he is also a computing genius.

It’s an age-old problem not limited to computers and hacking: just where do you draw the line between expediency and morality?

Categories: All, Security Issues
  1. November 6, 2010 at 8:47 pm

    this is one of those times when it’s good to make the distinction between the anti-malware/anti-virus industry/community and the broader security industry/community.

    panda security is an anti-malware company. while anti-malware companies are also security companies, the anti-malware community has historically been far, far less ethically ‘flexible’ than the broader security community.

    concurrently the anti-malware community is often perceived as being less inclusive (more elitist) than the broader security community. because those companies weren’t started by a bunch of people with questionable pasts, they’ve had the option of crucifying any competitor in the court of public opinion for ethical breaches such as hiring the fox to guard the hen house. that threat has kept the industry (and by extension the community) free of that sort of bad element for the most part (other sorts of bad elements are a different matter), but it’s also one of the things that reinforces the elitist perception.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s