The contentious sparring between Hewlett-Packard Co. chief security strategist Ira Winkler and convicted hacker Kevin Mitnick came to a head Tuesday afternoon at RSA Conference 2003.
Under the guise of a general-session debate on whether enterprises should hire former criminal hackers to do network penetration testing, the session quickly dissolved into 65 minutes of Mitnick defending his transgressions and Winkler aggressively pressing the former hacker on his skills and those of his nefarious former colleagues.
Nevertheless, a packed session hall took in the verbal jabs with glee and boos throughout the event, with Winkler getting the bulk of the cheers but absorbing a few jeers, too, as some applauded a few of Mitnick's points.
Trying to bring some sort of balance to the panel were Jennifer Granick, a hacker-sympathetic attorney who represented Mitnick, and Christopher Painter, who was her counterpart during the trial. Granick teaches at Stanford Law School and is director of the school's Center for Internet and Society. Painter is deputy chief of the Department of Justice's Computer Crime and Intellectual Property Section.
Granick stood by her client, trying to buffer many of the blows coming from Winkler, who opposes the notion that it's a wise idea to bring former criminals into the enterprise to probe and poke at networks to determine vulnerabilities and soft spots. Painter, meanwhile, hammered home the notion that enterprises must examine the risks involved before bringing criminals inside their firewalls.
Perhaps the true balance on the day was provided by the attendees, some of whom took middle ground in the debate.
David W. Ford, president of Bozeman, Mont.-based Network Knowledge Inc., a security consultancy, advises companies on whether to hire people like Mitnick. He said, "You could hire them for their experiences, but don't put them in a position of trust. Don't hire them as your CSO. It's like banks hiring bank robbers as advisers. You don't give them the keys to the vault. I think you could take the same approach here."
Jon Graff, who works for Nokia, in Mountain View, Calif., said he wouldn't hire a former hacker for anything but an advisory position, and he would do even that reluctantly.
"I would have someone sit with them at all times, monitoring everything they did, including their breathing," he said.
As for the panel's discussion on the topic, it centered on one question: do former hackers convicted of crimes have skill sets so strong that the benefits of hiring them mitigate any risks associated with letting them get to know your systems intimately?
Mitnick said former hackers bring skills gained through real-life experience, not simulated penetration tests. Additionally, some companies may not hire people convicted of hacker-related crimes. But that's not to say they won't hire people who just didn't get caught. "I know of several who have started companies," he said.
Painter, the prosecutor, said that it comes down to a matter of risk assessment and trust. Enterprises must weigh the risk of bringing former criminals in-house and giving them the access they need to probe networks against the possibility that they have not changed their stripes.
Companies don't have to turn to former hackers like Mitnick, since there are plenty of reputable firms that can do just as good a job or better, Winkler said. Moreover, going to one of those firms would eliminate the risk associated with letting a convicted hacker have intimate knowledge of your systems. Should anything happen, Winkler said, how can a CEO or CSO explain to the shareholders that he allowed a convicted criminal to perform a sensitive test?
Companies should also be wary of hiring hackers just because they were skilled at breaking things. "It doesn't mean they know how to fix it," Winkler said.
"It's really easy to hack computers. It's the lazy thing to do," Winkler said. By contrast, developing legitimate computer skills is much harder.
FOR MORE INFORMATION: