Integrity matters

At some point we mentioned the misguided intentions that people may have when breaking into computer systems. There appear to be seven common motives involved that we discussed [1]:

1. Boredom
2. Intellectual challenge
3. Revenge (disgruntled employee)
4. Sexual gratification (stalking, harassment)
5. Economic
6. Political (terrorists, spies)
7. Fame

We also discussed cases in which the perpetrator was hired as a security consultant after the incident (and often by the very company s/he penetrated). The question arises: ``Should people be given a second chance?''

On one hand, you have the argument that this person is highly skilled, so who better to have as a security consultant? S/he already knows the security issues of the company in question. S/he knows what things to protect against. Also don't people deserve a second chance? People can change and not everyone is a recidivist.

On the other hand, how can you trust someone who just penetrated your network and therefore knowingly broke the law? There is already an issue with the moral fiber of the perpetrator due to his/her actions in the incident. How can we know that this person will not do something illegal in the future either against this company or someone else in the future? There are other issues that cause one to question hiring this person - not just because s/he has questionable tendencies, but also because there may have been little actual skill involved in the penetration itself. The person could have gotten lucky, or just used a common tool and may not really understand the technical matters of the attack itself. Also it is often argued that it is much easier to break something than to protect it from potential threats. Therefore just because someone breaks into a network does not mean that they are an expert (there are numerous exceptions to this however).

There was an interesting blog post by Richard Beijtlich of Tao Security about this subject of trusting ``reformed hackers'' (remember I don't like using the term hacker in a negative light like this, but this is from the article...). I don't know enough about this particular case mentioned to cast any opinions and certainly don't want to draw any malicious attention my way, so I'll let you read the article and come to your own conclusions. Make sure to read the comments as well.

Perhaps it would be better to hire this person after sufficient time has passed since the incident (after s/he has proven himself/herself trustworthy). However, doubts will most likely remain.


What are your thoughts about this?

[1] Marjie Britz, Computer Forensics and Cyber Crime: An Introduction
Prentice Hall, 2004