Friday, 4 December 2009

The Fruit of the Poisoned Tree

By M. E. Kabay
Network World
12/02/2009

Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.

* * *

On a broader scale, consider the message you would be giving some thirteen year old proto-hacker. These kids, like most kids, are tremendously susceptible to peer pressure. They already find criminal hacking attractive because it's viewed as today's counter-culture -- something fairly harmless (compared with, say, dealing drugs) but exciting because it's illegal. Now imagine that the older creeps can announce that they've just been hired by The Man (i.e., authority
figures) to work in counter-intelligence, snooping in foreign companies'
files for money (you don't imagine they'd keep it quiet, do you?) -- Oh man -- not only is criminal hacking glittering with the allure of the forbidden now, but you can hope to earn money with it from the government!

The children and emotionally-arrested adolescents involved in criminal hacking already have a love/hate attitude towards The Man. Many of them claim that they'd like to work for security firms when (if) they grow up. This myth that criminal hacking is a reasonable basis for work in security would become even more pernicious if it were known that more hackers had in fact been solicited and used by government or corporate organizations. Using such people would reinforce the attractiveness of criminality.

Consider the outcry if the military in a democracy actively solicited murderers to be soldiers. The great challenge of military training is to temper savagery with honor; to provide a moral framework within which war is viewed as undesirable, killing as regrettable. A soldier who lies is a stain on his unit's honor. A soldier who steals is a wretch who deserves expulsion. And a soldier who breaks his word is a traitor to his country. And so how shall we deal with people whose entire way of life is to lie and to steal and to cheat?

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News