UPDATE: Can You Ever Trust A Hacker? UBS Trial Puts It To A Test
The defense cast doubt on the role that a one-time famous hacker played in the investigation.
After 20 years in computer security, including 11 in the financial services industry, Karl Kasper is being vilified as a dangerous man.
Over the past month, in the trial of former UBS PaineWebber system admin Roger Duronio, Kasper has been attacked by the defense because of his background as a computer hacker and his role in UBS's investigation of the attack. The lawyer for Duronio, defending him against charges that he sabotaged UBS PaineWebber's trading network four years ago, asserted that hackers can't be trusted to do a credible investigation. Kasper says the defense team is just desperate. (A verdict is expected this week.)
Regardless of the outcome, Kasper's involvement in the case raises anew important questions about whether ex-hackers should be hired for their information security expertise.
Kasper got involved with UBS PaineWebber days after the "logic bomb" was detonated. UBS hired his company, @Stake, to conduct the initial forensic analysis. Kasper has impressive security credentials. He helped found @Stake and has testified in front of a Senate committee about security issues; he's since left @Stake and works as a VP in IT security at JPMorgan Chase, not the first financial services firm at which he's worked. Still, he's being haunted by his time as a member of the L0pht, a hacker group that achieved star status in the 1990s.
The defense in the Duronio trial made much of the fact that in the computer industry, Kasper goes by the pseudonym John Tan. Is that akin to a writer using a pen name--Kasper treats it as more of a marketing brand name--or is it a sign of something devious below the surface of business suits and board meetings?
It's a question that has been asked before as hackers left their black T-shirts and ponytails behind and entered the mainstream to cash in on their technical savvy. As they worked away in their cubicles, many people forgot they had once poked at systems and applications, looking for flaws that would leave people and companies open to attack. Many still do those same kinds of penetration tests, only now they do it for a regular paycheck and a 401(k).
Back in their hacker days, did any of them ever use the holes they found to break into systems, peek at private information, or even cause damage? In some cases, yes. But it's unfair and inaccurate to say they all did.
Having hackers work at computer security companies or as IT consultants generally elicits one of two responses: It's the smartest thing you can do, or what the hell are you thinking?
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.