Should You Hire A Convicted Hacker?

What happens when hackers who have served time in prison or home confinement are released? The very skills that can land them behind bars are skills they share with high-achieving, law-abiding IT security professionals. But convicted hackers looking for legitimate employment are not necessarily finding it in the enterprise.

Witness Kevin Mitnick, cult hero for the computer kids and now a star of the lecture circuit. Or take Robert Tappan Morris, who unleashed the first-ever Internet worm in the 1980s. After serving probation, he became a tenured professor at MIT with a specialty in network architecture. Meanwhile, Kevin Poulsen, arrested for hacking federal systems, served five years, then made his name as a security researcher at SecurityFocus, before becoming a Wired News editor. (In his free time, Poulsen recently began mashing together public records and MySpace pages to track down sex offenders misbehaving online, which resulted in a related arrest.) On a similar note, after house arrest and probation for breaking into The New York Times intranet, Adrian Lamo turned journalist.

Their numbers are growing. The Department of Justice reports substantial increases in federal investigations and prosecutions of intellectual property (IP) violations. In FY2007, 287 defendants were sentenced for IP crimes, representing a 35 percent increase over FY2006 (213) and a 92 percent increase over FY2005 (149).

If the "celebrities in hackerdom" profiled above have one thing in common -- besides suggesting an opportunity for post-incarceration gainful employment involving academia, journalism, or motivational speaking -- it's that an information security career may not be in the cards for convicted hackers.

Current security professionals put it more bluntly. "It's extremely unlikely that I'd hire a former hacker, whether allegedly 'reformed' or not. The reason? Too much risk," says Aladdin Ossorio, who's led information security practices in both the boutique consulting and Big Four realms. "In high-end consulting, your name is your brand." Furthermore, clients often request resumes for all team members on offer, and suggesting a former cracker with a felony conviction won't land the contract.

Hacker Mystique Meets The Job Market

While it might sound romantic to hire a hacker, "if you are HR, and you can hire a skilled hacker with seven years of experience, or a skilled ex-con with a seven-year gap of experience, who do you think will get hired?" asks professional security researcher Jon Erickson, who authored Hacking: The Art of Exploitation, 2nd Edition. "There might have been a reason for it back when the distribution of security knowledge was lumpy. If you need to hire an ex-con, sure, you'll do it. But in the year 2008, there are thousands of skilled hackers who don't have criminal records, competing for work."

In addition, don't conflate a hacking conviction with programming street cred. "Criminal records prove nothing except that you were stupid enough to get caught in the first place," he says.

Convicted Black Hats Need Not Apply

Do any convicted hackers end up with security day jobs? "Mitnick is the only person I can think of who has gone back to security after being in prison, and even for him, it's not really security," says Erickson. "It's more that he's capitalizing on fame he gained while being a martyr." As far as the information security field goes, "for the most part, if you get sentenced, you're pretty much [out of luck]." Kevin Mitnick, now head of Mitnick Security Consulting, offers a similar perspective, noting that while he spoke at a Federal Probation & Pretrial Officers Association conference in Long Beach, Calif. just last month, "I don't think that's typical." Rather, he says most people with a hacking conviction "probably work as security testers -- the ones who work in pen testing or in ethical hacking."

The Post-Incarceration Job Forecast
Conducting penetration tests of corporate networks does seem a perfect technical fit for convicted hackers, yet most major software firms and large manufacturers, including Cisco, simply don't hire ex-cons, says Cisco engineer Jimmy Ray Purser. Yet the fierce technology product and service reseller market, in which companies compete predominantly on price and value, can be a different story.

When Purser worked for a Chicago-area reseller, more than once, he suspected "dark" arts behind competitors' proposals. "I would read a [penetration] test plan, and I could tell that this guy must be a former hacker," based on some of the techniques proposed. "Then I'd meet this guy, and often come to find, under whispers, that he did some time."

Some resellers, he says, seemed to leap at the chance to recruit a "security ringer" to help secure contracts, and offer these convicted hackers competitive salaries to boot. "They look at this as a business investment, because they don't have to train this person to know security. Teaching people how to configure a firewall, that hardware-type stuff? That's a piece of cake. But teaching someone how to break into networks, and have that mindset where you're trying to think of any way into a network?" Different skill.

Mindset aside, however, know that security assessment skills can be thoroughly mastered without digital breaking and entering. "Today, the equipment has changed, there are operating systems with no licensing fees, there are books -- you don't have to trespass on corporate systems to learn about it," says Mitnick. "Rather than phreaking the local phone company," he says, "friends should challenge each other to see if they could hack into each others' systems -- with permission. I encourage people to go in that direction."

The Decline And Fall Of The Lone Gunman

Of course, asking whether companies should hire former black hats begs the old "fox in the henhouse" question: In this era of rampant identify theft, data breaches, and the asymmetric threat already posed by insiders, should companies risk putting former criminals in proximity with any IT systems, source code, or sensitive data?

Realize too that the overriding impetus for hacking has changed. "The old school was more for the challenge and curiosity," says Mitnick. "That's not to say I didn't break the law, that's just to say it's a lot different in today's world, where the traditional criminals are using hacking to commit crimes, rather than the crime being the hacking itself."

Indeed, criminal organizations are now behind many computer crimes. "Over the last 10 years, I do think there has been this paradigm shift in hackers, so you don't have as many lone gunmen out there that are doing it more for supposed intellectual gratification," says Christopher Painter, principal deputy chief of the Computer Crime and Intellectual Property Section at the Department of Justice. "We are seeing a shift to older, more experienced criminals, and more of an emergence of hacking for money." How to Read a Criminal Record

When it comes to considering a former hacker for an open job, then, hiring managers might consider questions of motivation, intent, and remorse. "I certainly do believe that folks need a second chance, especially if they're young and make a mistake," says Cisco's Purser. Furthermore, put together a few people who can think outside the box, "and you can really go a long way."

How many convicted hackers regress? "It really depends on the individual," says Painter. "There were times when people were convicted who were never again convicted, then there were computer criminals we prosecuted multiple times."

Herding Former Black Hats

If companies do hire convicted hackers, Purser recommends pairing them with a security professional who can read the warning signs of any illicit activities. Also any code they write should be scanned to validate its security, and source code reviews should be commissioned to an external third party.

Of course, that's not so different from the attitude companies should take toward all IT staff and programming talent, says Robb Boyd, managing editor of the Cisco Interaction Network. "As companies struggle to decide, 'Would I hire a hacker?' -- maybe because they're faced with that question -- my question would be, well how many hackers do you have on your staff, and what are they doing?" Next question: can you prove it?

When Good Employees Go Bad

Turns out in the corporate realm, there can be a fine line between what constitutes hacking, versus legitimate activities. Accordingly, companies should provide all employees with a clear picture of what is allowed, or not, and make sure everyone stays with prescribed boundaries, says Ossario. For example, "we often run audits on our own work to verify that we haven't overstepped our bounds." Just as importantly, "we spend a lot of time training young engineers in understanding that just because they 'can' do something, that doesn't mean they should, or that they even have permission to do it."

Consequently, he has little tolerance if someone oversteps that mark. For example, during a recent e-business portal launch, one member of his team "began installing code, probes, and monitors that were not explicitly documented either in the business plan or technical architecture maps." After speaking with the engineer at length and prohibiting all such activity -- though "intriguing," it was undeniably outside the project scope -- Ossario also had the engineer's system access audited.

One week later, unfortunately, a follow-up audit revealed the engineer hadn't altered his ways. "After spending another hour with him, it was clear that he didn't 'get it,'" says Ossario. "With no further warning, I walked him to his cube, impounded his laptop, and told him to take the next flight home. I notified HR; he was reassigned a week later, had a problem on that assignment as well, and was terminated immediately thereafter."

As that demonstrates, hacking isn't just about skills, but also judgment.

Even so, Ossorio says he might still contract with a former cracker. "I would gladly pay a 'reformed' hacker to train our guys on both hard and soft hacking techniques. I see no problem at all with that," noting that he regularly hires outside experts to train his consultants. "I want my guys to learn from the best, and some of these guys are pretty good."