Digg this story   Add to del.icio.us  
AtStake jilts Phiber Optik
Kevin Poulsen, SecurityFocus 2000-09-01

The corporation formerly known as the L0pht courts Mark Abene, balks at his hacker past.

When Mark Abene found himself being wooed last month by security services firm @stake, he didn't expect his hacker past from seven years earlier to come back to haunt him. After all, just last January a newly-minted @stake was basking in media limelight after announcing a merger with the group the company described as the "renowned hacker think-tank" L0pht Heavy Industries.

So Abene was surprised when the company, which was apparently ignorant of his history when asking him to join its budding New York office, abruptly withdrew its offer in the final phases of hiring. As Abene describes it, the @stake recruiter tiptoed gingerly around the reason for the company's change of heart, before she finally explained in a voice dripping with contempt and finality, "We ran a background check."

Whether @stake's investigation turned up the countless books and magazine articles written about Abene in the first half of the last decade, or the 1993 hacking conviction that landed him ten months in federal stir, the result was the summary rejection of the man once known as "Phiber Optik" by a company whose vice president of research and development answers only to "Mudge." Now Abene is crying foul, charging @stake with hypocrisy in a flap that highlights the ambiguities and conflicts that arise as hackerdom's Generation X moves into corporate career slots.

"I see a rift generating," says Abene. "People who have been able to escape their teenage years unscathed have this elitism. They consider themselves better than other hackers who were unlucky enough to be prosecuted for whatever reason, or for whatever mistakes they made."

Unlike Abene, and notwithstanding their underground image, none of the L0pht's members are known to have committed a computer crime. The group is generally regarded as a collective of "gray hat" hackers who publish programs that test network security, like the $100 L0phtCrack password cracker, and discover and publicize vulnerabilities in software products. They've claimed that they retain their handles, Brian Oblivion, Dildog, Kingpin, Mudge, Silicosis, Tan, and Weld Pond, not because they have anything to hide, nor to capitalize on the mystique hackers hold with the media, but because it's how they've always been known in the security community.

(@stake declined comment for this story, except to issue a written statement saying that the company performs background checks on all new hires. Mudge did not return phone calls.)

Abene, on the other hand, was renown for his unauthorized romps through telephone systems and packet-switched networks in the years before the Internet blossomed. Back then, he had a reputation as a non-destructive and mediagenic hacker who never concealed his actions; in the 1992 book "The Hacker Crackdown," author Bruce Sterling wrote of Abene, "Even cops seemed to recognize that there was something peculiarly unworldly and uncriminal about this particular troublemaker." His raid by the U.S. Secret Service was a focus of John Perry Barlow's "Crime and Puzzlement," the first manifesto of the electronic civil liberties movement.

In the years since Mark Abene last used his handle, he's worked doing penetration tests for an accounting firm, and now heads a three-man computer security consultancy in New York called Crossbar Security, named for a type of vintage telephone switch. "The majority of the work that my firm has gotten has been through recommendations from other people," says the 28-year-old Abene. "We don't do any marketing or any publicity."

As the head of a small business, Abene says he's doing "fairly well." But in the world of large security companies with millions in funding, his conviction may matter more. "It's definitely an interesting paradox in the industry now," says Space Rogue, who until last June was an employee of @stake's L0pht component and the editor of the Hacker News Network. "The mantra has gone from, 'we don't hire hackers'--because everyone does whether they know it or not--to, 'we don't hire criminals.' Which means as long as you don't have a criminal record, you're good."

Indeed, there are few hackers from the eighties and nineties who can't rattle off a list of peers from the computer underground now working for top-name security firms. But confirming them without the paper trail of a criminal conviction is tricky--perhaps mercifully so for companies who need the talent. "That seems to be the one saving grace," says security consultant Chris Goggans, who freely admits to his own hacker past. "A lot of companies can hire these people and look the other way because they were never arrested."

As "Erik Bloodaxe," Goggans was a member of the 80's hacker gang the Legion of Doom, and an Abene rival. But he was never prosecuted for a computer crime. "I look back and think, I was really, really lucky." Now, as director of operations at Virginia-based Security Design International, he says he'd have to turn away an applicant who'd been convicted of hacking. "For the kind of work that we do, if they had a past history of being convicted for any felony, I wouldn't hire them," says Goggans. "It affects a companies' errors-and-omissions insurance, whether they can be bonded, whether the applicant will be able to hold [defense] clearances."

Even 20-year-old security wunderkind Marc Maiffret, "chief hacking officer" and cofounder of eEye, a California security software firm that recently raised a $5 million in venture capital, says he'd hesitate before hiring an ex-cyber-con. "If somebody does have something on their record, they need to be that much better," says Maiffret. "They need to be twice as good."

Maiffret admits to a past that includes cracking Pentagon computers, but says he'd hire himself, because he is that good, and he's grown older and wiser since then. "That's stuff that happened, like, three years ago now."

The reporter is a convicted hacker.

    Digg this story   Add to del.icio.us  
Comments Mode:
Their debt has been paid 2000-09-01
Alascom (paw (at) paw (dot) org [email concealed]) (3 replies)
Agreed, this is crap! 2000-09-01
BLKMGK (1 replies)
This makes me sick to my stomach 2000-09-02
Termy (at) ecad (dot) org [email concealed]
Their debt has been paid (child molester babysits kids) 2000-09-03
mujahadin (at) hushmail (dot) com [email concealed]
A presidents past 2000-09-05
Hyprocracy and prejudice 2000-09-01
Ichinin (Ichinin (at) suespammers (dot) org [email concealed])
Kevin, what the hell? 2000-09-01
More than that's unfair... 2000-09-01
uucpbrain (1 replies)
restoration of civil rights 2000-09-01
grayarea (at) html (dot) net [email concealed] (1 replies)
restoration of civil rights 2000-09-01
mb (at) gti (dot) net [email concealed]
Ha 2000-09-01
What do you mean, they didn't know?!? 2000-09-01
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
So what?!? 2000-09-01
H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
Is all about the money 2000-09-01
Why *did* Space Rogue leave @Stake 2000-09-01
CString (1 replies)
Why *did* Space Rogue leave @Stake 2000-09-05
Space Rogue
heh... lamers... 2000-09-02
DAQ42 (2 replies)
shrug 2000-09-02
re: heh... lamers... 2000-09-02
The "clean room" stupidity..... 2000-09-02
Mike Roadancer (2 replies)
Hypocrisy 2000-09-02
The Dodger (1 replies)
Hypocrisy 2000-09-02
re: The 'clean room' 2000-09-02
The l0pht goes soft 2000-09-02
Amen 2000-09-02
Hiring Hackers 2000-09-03
Graham Burgess
A bit nieve 2000-09-03
Jeffery McLean (1 replies)
Weird 2000-09-04
Sacha Ligthert
Damage: L0pht vs Abene 2000-09-04
Elite Hackers are rats 2000-09-05
Binary skill? Get real. 2000-09-06
A Text On The Topic 2000-09-09


Privacy Statement
Copyright 2010, SecurityFocus