Problem solve Get help with specific problems with your technologies, process and projects.

Fighting the hacker myth

Ira Winkler continues the debate on hiring hackers.

What is a hacker?

The term has been bastardized so much that it's hard to tell. For purposes of this piece, a hacker is used to describe a person who breaks into computers without permission and likely commits other crimes after that.

If it's so easy to break into computers, how come most computer professionals don't seem to know how?

They don't have criminal intentions and nobody asks them to. When I take a seasoned administrator, and tell him to break into a computer, he learns the task in a heartbeat. People not inclined to learn otherwise criminal acts do something more productive with their time.

How do you learn about computers if you don't explore computer systems?

You can explore your own systems all you want. Maybe if this was the early 1980s when computers were not available to the average person, I could understand this as almost legitimate. Today, however, there are hundreds of computer books. You can download Linux for free. You can buy used but sufficient computers for under $100. You can set up a home network. You don't need to commit a crime to learn about computers. For that matter, if you claim that you learn from computers that you break into, you are only learning how not to secure a computer. If you want to be productive, volunteer at non-profit organizations and maintain their networks, develop applications and serve the general good.

If someone is convicted of a computer crime, does that mean that they can never get a job again in the computer profession?

Clearly it is problematic for the computer security profession. However if a "hacker" truly has computer skills, then he can get a job in dozens of other areas of the computer profession. It is just a matter of whether an employer wants to hire a convicted criminal. The problem is that many computer hackers don't have the basic computer skills that allow them to move between disciplines within the computer industry. If that's the case, they don't have the skills for computer security anyway.

Hackers love to point to Steve Wozniak as an example of a hacker and declare him a computer criminal who went free. It is pretty much acknowledged that he built devices that allowed people to get free phone service. He did not, however, go to the telephone companies and say, "hire me to protect you." He started his own computer company and an industry. If a hacker really has talent, he can do this.

What do you say about the fact that there are hackers working as professionals? At least you know the issues with the convicted criminals.

There are criminals and otherwise incompetent people in every profession. That does not mean that you seek them out to do jobs. You don't seek out a disbarred lawyer. You don't look for a doctor who had his license pulled. The presence of one unknown criminal does not justify other criminal behavior.

What about teenagers who commit crimes? Is their life ruined?

It is my personal opinion that there is a clear difference between a teenager who was scared straight after his first scrape with the law and career criminals. Everybody does stupid things as a teenager, and sadly, the media portrays hacking heroically. This tempts a person into something that appears to be a petty crime like graffiti, as opposed to a significant felony. There are other people who do not go straight after their first scrape with the law. These are people who are predisposed to crime. They tend to believe they are smarter than other people, and the law doesn't apply to them. They commit multiple crimes well beyond their teens. If a teenager can keep his nose clean, go to college and get other computer related jobs, then maybe in his mid-twenties it is relatively safe to believe they will stay away from criminal activity for the long term.

What about reformed hackers?

In my article I describe this concept as the biggest crock of garbage. Yes, some criminals are reformed. However, the fact they are released from prison does not mean they are reformed. You cannot declare yourself "reformed." Reformed is a state of mind, not a proclamation. Being reformed means that you have changed your entire thought process. You change your environment. If you are a computer criminal, reformed means that you stay away from temptation. As previously described, reformed people might go into other areas of the computer industry and stay away from security. The problem is that it is impossible to read someone's mind.

However, it is easy to see when a self-proclaimed reformed hacker is faking it, in my opinion. They say one thing in front of the establishment, then they live for the glory of their past crimes in front of the hacker community. They hide most of their past actions and try to reframe them. They use wording to minimize their crimes. That is probably the big issue.

Reformed people will avoid talk of their past crimes and if it is ever brought up, they are embarrassed by it. They clearly and consistently acknowledge that their past actions are wrong, and they truly regret their crimes. There is no popular hacking figure that currently fits this bill.

I still want to hire a hacker knowing this. Is this a problem?

Unless you are willing to except the risk and public embarrassment, yes this is a big problem. One of the big problems with computer criminals is that they have typically been prosecuted for a small subset of their crimes. Even then, they plea bargain down what goes on their record. It is almost a guarantee that they have committed much more dastardly crimes than what they were convicted of. Why would you want to expose yourself to such risk, especially when there are more than enough computer security professionals with the same skills or better of any criminal hacker?

But who better to see if systems are secure against hackers than a hacker?

Assuming you just want to see if a system is vulnerable and don't care if the person knows how to fix it, this is still a big problem. There are many ways to break into a computer. Just because a hacker knows how to break into it one way doesn't mean they know all the ways to break into it. That means that they could be turned away, and your system is still vulnerable.

If you want the system fixed, that is a whole different problem. There is no example in computers or the universe as a whole where it is as equally easy to fix something, as it is to break it. It is easy to break things in general and infinitely more difficult to fix them. This is just as true in the computer field.

About the author
Ira Winkler, CISSP, CISM is chief security architect at Hewlett-Packard. He is also author of the forthcoming book, Spies Among Us (McGraw-Hill).

  • Read Ira Winkler's op-ed on the topic of hiring hackers.
  • SearchSecurity editors Mia Shopis and Crystal Ferraro face-off on the topic of hiring hackers.

This was last published in January 2004

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.