, SecurityFocus 2000-09-01
The corporation formerly known as the L0pht courts Mark Abene, balks at his hacker past.
People who have been able to escape their teenage years unscathed consider themselves better than other hackers.
So Abene was surprised when the company, which was apparently ignorant of his history when asking him to join its budding New York office, abruptly withdrew its offer in the final phases of hiring. As Abene describes it, the @stake recruiter tiptoed gingerly around the reason for the company's change of heart, before she finally explained in a voice dripping with contempt and finality, "We ran a background check."
Whether @stake's investigation turned up the countless books and magazine articles written about Abene in the first half of the last decade, or the 1993 hacking conviction that landed him ten months in federal stir, the result was the summary rejection of the man once known as "Phiber Optik" by a company whose vice president of research and development answers only to "Mudge." Now Abene is crying foul, charging
"I see a rift generating," says Abene. "People who have been able to escape their teenage years unscathed have this elitism. They consider themselves better than other hackers who were unlucky enough to be prosecuted for whatever reason, or for whatever mistakes they made."
Unlike Abene, and notwithstanding their underground image, none of the L0pht's members are known to have committed a computer crime. The group is generally regarded as a collective of "gray hat" hackers who publish programs that test network security, like the $100 L0phtCrack password cracker, and discover and publicize vulnerabilities in software products. They've claimed that they retain their handles, Brian Oblivion, Dildog, Kingpin, Mudge, Silicosis, Tan, and Weld Pond, not because they have anything to hide, nor to capitalize on the mystique hackers hold with the media, but because it's how they've always been known in the security community.
(@stake declined comment for this story, except to issue a written statement saying that the company performs background checks on all new hires. Mudge did not return phone calls.)
Abene, on the other hand, was renown for his unauthorized romps through telephone systems and packet-switched networks in the years before the Internet blossomed. Back then, he had a reputation as a non-destructive and mediagenic hacker who never concealed his actions; in the 1992 book "The Hacker Crackdown," author Bruce Sterling wrote of Abene, "Even cops seemed to recognize that there was something peculiarly unworldly and uncriminal about this particular troublemaker." His raid by the U.S. Secret Service was a focus of John Perry Barlow's "Crime and Puzzlement," the first manifesto of the electronic civil liberties movement.
In the years since Mark Abene last used his handle, he's worked doing penetration tests for an accounting firm, and now heads a three-man computer security consultancy in New York called
As the head of a small business, Abene says he's doing "fairly well." But in the world of large security companies with millions in funding, his conviction may matter more. "It's definitely an interesting paradox in the industry now," says Space Rogue, who until last June was an employee of @stake's L0pht component and the editor of the Hacker News Network. "The mantra has gone from, 'we don't hire hackers'--because everyone does whether they know it or not--to, 'we don't hire criminals.' Which means as long as you don't have a criminal record, you're good."
Indeed, there are few hackers from the eighties and nineties who can't rattle off a list of peers from the computer underground now working for top-name security firms. But confirming them without the paper trail of a criminal conviction is tricky--perhaps mercifully so for companies who need the talent. "That seems to be the one saving grace," says security consultant Chris Goggans, who freely admits to his own hacker past. "A lot of companies can hire these people and look the other way because they were never arrested."
As "Erik Bloodaxe," Goggans was a member of the 80's hacker gang the Legion of Doom, and an Abene rival. But he was never prosecuted for a computer crime. "I look back and think, I was really, really lucky." Now, as director of operations at Virginia-based Security Design International, he says he'd have to turn away an applicant who'd been convicted of hacking. "For the kind of work that we do, if they had a past history of being convicted for any felony, I wouldn't hire them," says Goggans. "It affects a companies' errors-and-omissions insurance, whether they can be bonded, whether the applicant will be able to hold [defense] clearances."
Even 20-year-old security wunderkind Marc Maiffret, "chief hacking officer" and cofounder of eEye, a California security software firm that recently raised a $5 million in venture capital, says he'd hesitate before hiring an ex-cyber-con. "If somebody does have something on their record, they need to be that much better," says Maiffret. "They need to be twice as good."
Maiffret admits to a past that includes cracking Pentagon computers, but says he'd hire himself, because he is that good, and he's grown older and wiser since then. "That's stuff that happened, like, three years ago now."
The reporter is a convicted hacker.