You make a lot of good points there.

Especially important is that a person's skills tend to dictate a field of jobs, not just one, and that some of those specific jobs carry too much liability to trust with a criminal. An ex-burglar might help security companies develop a better alarm system but you wouldn't want him installing them. A convicted shoplifter can't be trusted to run a cash register or stock items, but you'd probably want this person watching video monitors. Does it make more sense for Kevin Mitnick to admin At&T's computer network or to hit the lecture circuit (as he's doing) and merely advise them about trouble spots?

Another point I strongly agreed with was reputation. @stake has high-profile clients who don't want the appearance of dealing with criminals, and @stake itself doesn't want to give the media and other opponents ammunition with which to call them criminals themselves. That leads into a very interesting point that hasn't much been covered: Abene seems to allege that all gray-hat hackers are simply criminals who were never caught, and that the L0pht team was composed of criminals.

As far as I know, L0pht has no criminal history whatsoever and its former members are squeaky-clean. It's possible that some of them were crackers at some point, but I've never seen any actual proof of that. Those same people are, however, considerably famous in the gray-hat community, giving @stake a world of prestige without the tarnish of criminal acts. Companies are willing to work with @stake, and to consider them among prominent white-hat organizations, because they carry heavy-hitting names, but those names are also known not to be actual black-hat hackers in disguise. In contrast consider if an organization hired gray-hats who admitted to crimes and some who were ex-cons; could such a company pick up any serious business? It could operate successfully, but not with the sort of clientele @stake sees.

We live in an era of liability and consequent butt-covering. Big businesses won't hire a security firm with a questionable recruiting policy; smaller businesses might. For the sake of calming stockholders and showing a good face, corporations will also tend to hire companies with well-known, competent personnel. @stake clearly has the advantage on both sides of that, and has no desire to disrupt it. They have competition--stiff competition, I'd guess--from even cleaner-cut organizations who nevertheless can't bring a group like L0pht to the table.

For the same reasons of butt-covering, @stake can't afford to hire ex-cons. What if one of their clients got hit by a back door left by a convicted criminal, and it came out later that @stake knew about his past when they hired him? Instant lawsuit. L0pht's background could be thoroughly checked without a hint of trouble, so there's no liability for @stake unless they have good reason to believe one of their employees is about to cross the line. It all raises the question of whether Abene would actually go back to cracking if given a good opportunity, but then neither @stake nor its clients can afford to take that chance; now that denying his application is more widespread news, if anything it gives people more confidence in their hiring policy.

L0pht may be shady-looking to some, but to accuse @stake of hypocrisy is pointless. The members of L0pht were never convicted of any computer crime, and to my knowledge never admitted a single criminal act. Abene, on the other hand, was convicted. While this does sort of look like an "It's only wrong if you're caught" type of reasoning, remember that in the United States the concept of presumption of innocence is still supposed to apply. For @stake it was a judgment call: They didn't have to hire gray-hats, but they decided that this group was clean, and it carried a strong reputation that would only encourage business. In Abene's case, they know he's not clean; he may be very skilled, and he may have gone perfectly straight, but he's a risk nonetheless and there's nothing forcing them to take it.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/79/3286#3286