[ISN] Commit a crime, no network time?

From: InfoSec News (isnat_private)
Date: Thu Apr 17 2003 - 00:39:15 PDT

  • Next message: InfoSec News: "[ISN] NASCAR Fan Faces Prison Time for E-mails"

    http://news.com.com/2100-1009-997170.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    April 16, 2003
    
    SAN FRANCISCO -- Would you have a hacker convicted of a cybercrime
    watching your corporate network? A panel discussion on the role of
    hackers in security tried to answer that question, but the debate on
    Wednesday turned into a verbal boxing match, reflecting the deep
    divide between those who believe that convicted cybercriminals
    shouldn't have a role in security and those who believe that they
    should.
    
    "How do you explain to your shareholders that you are going to hire
    someone (to guard your networks) who has been jailed, not once, but
    multiple times," argued Ira Winkler, chief security strategist for
    Hewlett-Packard, who contends that hackers bring no special security
    knowledge and are an unacceptable risk to any company that hires them.
    
    The question was aimed directly at former hacker Kevin Mitnick, who
    has multiple convictions for computer crimes and who also spoke on the
    panel at the RSA Security conference here. Mitnick contended that
    hackers should be hired, but only after close evaluation.
    
    "I think that it depends on the person--what value they bring," he
    said. "Trust has to be evaluated on a case-by-case basis."
    
    The argument mirrors the security industry's angst about its past.  
    While some security experts learned their craft in the government
    sector or through school, many of today's consultants and researchers
    were yesterday's hackers. In many cases, the person may not have done
    anything illegal, but in other instances, it was a matter of not
    having been caught, Mitnick said.
    
    "Many people in this industry who are well-respected used to hack--I
    traded vulnerabilities with some of them," said Mitnick, now a
    security consultant. Companies still try to hide that fact today, he
    said. "You have to question people who stand on a high ladder and say
    that they don't hire hackers, when in reality they do."
    
    Mitnick, arrested in February 1995 for computer crimes, spent nearly
    five years in prison and another three years under restrictions that
    limited his use of technology. Now he gives talks on security, has
    written a book and has started his own security company, Defensive
    Thinking.
    
    Many security experts don't believe that hackers have much to offer.  
    The International Information Systems Security Certification
    Consortium, the group that administers the well-known Certified
    Information Systems Security Professional credential, doesn't allow
    its members fraternize with hackers, for example.
    
    Winkler seems to agree. The security expert expressed doubt that
    anyone who had been convicted of illegal hacking could reform to the
    point that they could be put in a position of absolute trust, such as
    in the role of a system administrator.
    
    "The reason that (hackers commit crimes) is because they have already
    rationalized (criminal acts)," Winkler said. "I heard (Mitnick) call
    phone 'phreaking' a hobby. It's not a hobby, it's a felony."
    
    Trust versus skills Christopher Painter, deputy chief for the Computer
    Crimes and Intellectual Property section at the U.S. Department of
    Justice and another member of the panel, agreed that hackers convicted
    of cybercrimes haven't shown responsible behavior and thus should be
    suspect.
    
    "What hackers have shown is a disrespect for others' rights and
    property," he said. "What does that mean, especially if I am going to
    give them the keys to the kingdom?"
    
    Painter, who prosecuted Mitnick's case, stressed that hiring hackers
    adds a risk to the security equation that companies may not want to
    take.
    
    Yet hackers, who have learned by doing, frequently have skills and
    knowledge that others don't have, said Jennifer Granick, the clinical
    director for Stanford University's Center for Internet and Society and
    an attorney who has represented those convicted of cybercrimes.
    
    Granick argued that some activities in security require a person to
    have a hacker's mind set. "There is something about computer security
    that requires you to think about how to circumvent protections," she
    said. "You have to anticipate those uses to protect against them."
    
    She stressed that hiring people who have committed a cybercrime is not
    rewarding the crime. "Hackers think just like other people think when
    they commit crimes, which is, 'I will not get caught,'" she said.
    
    Even Winkler admitted to hiring members of the Ghetto Hackers, a
    so-called ethical hacking group, but he said the group doesn't promote
    illegal hacking and has real-world credentials.
    
    "I hire people based on résumés, not on criminal records," he said.
    
    While many people admit to being an old-school hacker--that is,
    someone who simply likes to play around with technology--hackers are
    now generally thought of as those who break into systems.
    
    Mitnick said that even criminal hackers can change their ways and want
    to help foster security, not hurt it, in the same way that many drug
    addicts recover and go on to counsel others.
    
    But the Justice Department's Painter said that Mitnick's analogy
    missed the mark. "It's asking the drug addict, not to be the
    counselor, but the pharmacist," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 04:19:08 PDT