Panda’s Urban Myths: should the security industry employ ex-hackers?
Panda Security asked its user community which urban myths come to mind when they think about the anti-virus industry, and then set about ‘deconstructing the top five’. The pedant in me, of course, immediately objected: this process assumes from the outset that these ‘accusations’ are myths; it cannot be an objective analysis.
Anyway, the five ‘myths’ are
- Antivirus security companies make the viruses
- Security companies hire hackers
- There are no viruses for Mac, Linux or cell phone platforms
- It requires considerable knowledge to be a hacker, develop viruses, infiltrate systems…
- Women don’t work in security companies
It is the second one that most caught my eye: security companies hire hackers. “Of course we can’t speak on behalf of the entire industry, but at Panda Security this issue has been a concern for us and we have never knowingly contracted ‘black hat’ hackers. We have however hired – and we are always looking out for – ‘white hat’ (basically, the good guys) hackers.”
I don’t doubt Panda for one second; but what is the difference between a white hat and a black hat? Is it motive? Well, one man’s freedom fighter is another man’s terrorist; so how can you decide?
Consider the Aspergers Syndrome (AS) connection. Mitnick once said “After my arrest, I met this hacker from the UK who told me he was diagnosed with this Asperger syndrome: people who are not good in social relationships, but they are very good with numbers, very good at focusing on a problem for a very long period of time. As he described it, I realized, ‘Wow, that sounds like me.’ The more I thought about it, it seemed to describe people I know who are into hacking.”
Today, of course, Gary McKinnon is a diagnosed AS sufferer.
A 2001 USA Today article said of Aspergers sufferers: “But this occasionally causes them to act out against what they see as injustice and take credit for their deeds, similar to hackers who defend their attempts to infiltrate networks as efforts to identify shoddy security, rather than to profit by stealing data, experts say.”
And AS is sometimes characterised by ‘right motive, wrong action’. So, is evidence of AS the difference between a white hat and a black hat?
There are other issues. The history of infosec is riddled with hackers moving on to found the early security companies. And in recent times there are some celebrated cases of hackers being employed by the industry. Two examples:
Mikeyy Mooney, the 17-year old hacker who caused mayhem on Twitter with a series of worms on the micro-blogging website last weekend, has been rewarded with a job in web applications development according to media reports.
Frankly, the news that exqSoft Solutions has approached and hired Mikeyy Mooney, the teenager behind the StalkDaily and Mikeyy worm attacks, has really got my goat.
Firm hires Twitter worm author Mikeyy Mooney, by Graham Cluley on April 17, 2009
Now Towns has resurfaced, only this time he hasn’t infected unlocked iPhones with another 80s pop star. Apparently, someone took notice of Towns’ “skills” and has offered the hacker a job. He made the announcement via his Twitter page, saying that he is now working as… hang on for this one… an iPhone application developer!
Tom’s Guide: Nov 30 2009
But you have to wonder whether these hires are seeking programming skills, or just cynical attempts at gaining publicity: in other words, the companies concerned are employing ‘celebrities’ rather than hackers.
The reality is that some security companies do and always have employed ‘ex-hackers’. And I really don’t know whether this is ultimately a good thing or a bad thing. I have to take the craven politicians’ route: “We should examine each case on its own merits.”
I have been pointed towards a fascinating article by Lucian Constantin on Softpedia: Italian Authorities Want to Hire a Romanian Hacker Genius
This raises some difficult questions. The hacker-genius wasn’t hacking for the fun or kudos or to expose social wrongs: he is a convicted criminal identity thief. But he is also a computing genius.
It’s an age-old problem not limited to computers and hacking: just where do you draw the line between expediency and morality?