This discussion, and the commentary of corporate heads on the topic, is consistently the most inane. I see the SANS editor/weenies whining about the hiring of hackers within the security industry, and the lauding of their rejection with almost every NewsBytes. A little perspective is in order:

Almost every industry with a need for security advice utilizes reformed criminals. Frank Joseph Abagnale, a long-time check defrauder, convicted of fraudulently cashing over 14 million dollars in checks (much more than Mr. Mitnick's damages) and posing as an airline pilot, an attorney, even a doctor is and has been payed by MAJOR financial services companies and banks to create 'secure' checks, and provide counsel to these industries. For this advice, Mr. Abagnale is compensated to the tune of millions of dollars a year. These extremely conservative firms (also with shareholders Mr. Winkler!) don't seem to be squeamish about employing Mr. Abagnale. He was even the subject of a recent film, however glamorized, _Catch Me If You Can_.

The physical security industry has consulted in the past, and is probably doing so currently, with former burglars. Banks employed, at various times in history, bank robbers for security advice. Today we have more secure banks. The lock and safe industry, it is no mystery, consulted safe-crackers at times in the past. In fact, the famous 'cannon ball' safe, the bane of the Newton gang, was a design by a former safe cracker and brought cowboy-style safeblowing (the then-equivalent of 'script kiddies')virtually to a halt.

All of this just begs the lack of historical education of sundry corporate CS/IO's. It also begs a question-- should such ignorant suits be allowed to shape the philosophy of a fledgling industry (computer security)? Should we really be listening to former heads of marketing and such who were laterally 'promoted' during re-orgs thanks to cronyism? Rare are SO's have actual tangible previous security experience, and accordingly a sense of perspective on how to think about these things.

We need to use any resource that's available. Sometimes a better opportunity is all that is needed to induce criminal reform, especially in the case of the better and brighter, and white collared breed of criminals, whose motivation is often money-- And the better and brighter, are whom the industry would and should be interested in. That soapbox aside, all this paranoia is just that-- paranoia. Ignore this nonsense.

I'm surprised Schneier hasn't gotten around to lambasting this practice with a little dose of history.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/3982/19361#19361