Strong words, but words that must be said and said LOUDLY. I agree with you completely on this -- there really is a difference once that line has been crossed into the criminal.

FWIW, I completely concur re ethics. In nearly 20 years of working in IT Security, I've never (knowingly) hired anyone that has crossed that solid line in the sand. That said, I consider myself pretty open-minded and will gladly talk with anyone and hear out their opinions on things, even when they're completely different than my own.

But I wouldn't want a convicted embezzler doing controlling my finances, and I wouldn't hire a hacker to write business-critical code or assess the security of a client's systems.

But, that's just me...

Cheers,

Ken

without hiring them you will never be anywhere near as secure, whitehats are great but they can only take care of the known threats ;) I myself design and implement open source intrusion detection and prevention systems for networks "were not talking little point to point lans here btw" and would be lost without any of these skills. I think there is a happy medium between the 2 you can't be a soldier without knowing how to shoot.... my 2 cents...

I read the ISC code with great interest.  I bristled at the elitist bit (being an amateur myself), but I got the commitment about avoiding any possible taint around involvement with criminals.

I am left with the question of how one might effectively employ a convict in software development and be ethically supportive of ongoing rehabilitation.  I suppose it could be viewed as in-rehabilitation rather than rehabilitated, just as people in substance-abuse programs speak of themselves as being in recovery, not recovered.  Then any rehabilitation would require assignments where there isn't any question of potential impropriety or criminal temptation.  I suppose there needs to be a twelve-step program for recovering criminal hackers [;<).

I realize you are not addressing that concern.  Your statement is clear and directly-stated.  It seems entirely consistent with the code to which you have pledged yourself.

PS: I once carried around a large orange button that had the slogan "Hire the Morally Handicapped."  It's no longer funny (nor is "Elect the Morally Handicapped")and I don't regret having discarded it.

Oops, have to post anew to correct my personal info.  OK, amateur indeed.  blush.

static,

I'm not sure I quite agree here. I like your analogy about the soldier, so lets stick with it.

I never said the soldier should never learn how to shoot. He should learn, and get complete target practice at the range. When deployed in the field, he will still have those skills needed to fight the enemy; he will be able to shoot to kill.

But to practice, that soldier should NOT be walking into a mall, and shooting everyone walking by.

See the difference? There is nothing wrong with honing your skills on your own systems. Taking advantage of challenges provided to you like those at the Honeynet project. You SHOULD hack. You should practice on system you have rights to do so. Actually, until you do this and work on these skills... you shouldn't be touching a clients system.

This way, when you get in the field and need to fight the advesary... you can 'shoot to kill' so to speak. Or in this case, penetrate the system or software as required AND REQUESTED by your client.

Orcmid,

I'm not sure exactly how you would do this. I know from experience that we once gave a kid a chance who we knew to have criminal tendencies relating to stealing. This was found during a criminal background check. We also determined he was a very curious individual, who enjoyed hacking in the gray area as a kid. We took all the precautions to protect the organization while still giving him a chance in an isolated environment that could not hurt our clients. In the process of auditing his system, we found more attack code which he snuck into the network against our corporate security policy that it wasn't funny.

If it wasn't for the safeguards we put in that he didn't know about (transparent bridging firewall on his switched port with a passive snort IDS recording all packets in binary mode), who knows what damage he might have been able to do to the corporate resources.

There are plenty of companies out there that can employ convicts in software development. And I don't think its fair to blanket all convicts as not being allowed to work in the industry. A person convicted for drunk driving isn't in the same league as a person convicted under the Computer Crime and Abuse act. It would be up to HR to determine what seems appropriate, and what risks the corporation would be willing to take.

I would imagine for non critical software in which lives are not at stake, convicts could very easily be employed if they have the appropriate skills.

I am just guessing here though. I don't work in an environment that gives me the luxury to take those risks.

I'm not sure I agree with you on the never hiring someone who has ever (been caught) doing criminal computing. Perhaps reform is possible, and if over a length of time the person seems reformed (not just "did his/her time") I would say that they may be as good a risk as a unknown as criminal security professional. Of course I'm not hiring so it's easy to say.

However the hiring of Sven Jaschen is crazy. He is no "reformed hacker" he was hired because he is a criminal hacker. He didn't say he'd reform, he just wanted a job. Are they crazy? As long as he is happy perhaps he won't do anything, but what if there is a parting of ways? Now he knows the inside of their security. Foolish act if you ask me.

I disagree with you about is whether someone can be trusted after they've been found guilty and paid for the crime, and someone else, who simply doesn't have a record can.

Plenty of people had a good clean record, right up until they did something really terrible.

I argue that you can't be much safer than to depend upon someone like Kevin Mitnick (and other ex-offenders who have paid for their crimes).

First of all, when they "let their curiousity get too far" it wasn't so clearly an ethics violation or illegal in many states. They didn't take any property-- physical or otherwise.

I've known dozens of smart and honest people who saw no problem in hacking, because their intent was simply for learning-- not to take any form of property.

For examples:

+ Who hasn't tried breaking someone's password when they know they are acting properly in the person's behalf?

+ In high school, while experimenting on HP 2000B time shared BASIC, we routinely tried to run login spoofs on each other.

I'm don't think I can trust anyone who says they never experimented with such things.

Second, these ex-offenders are going to be very careful in the future because their past record would affect sentencing on any future counts.

Hmm, interesting feedback Carl.

There isn't enough time in the day to fret about "the good the bad and the ugly". You are right that you have no guarantee that a "clean" person may not be... but looking at it the other way... I KNOW the criminal is not clean.

"When I was a child, I spake as a child, I understood as a child, I thought as a child: but when I became a man, I put away childish things. For now we see through a glass, darkly; but then face to face: now I know in part; but then shall I know even as also I am known."

- 1 Corinthians 13, verse 11

When you were a child launching scripts against your friends in school, that is one thing. Launching login attack sequences against your bank... that is totally different.

You are right, if someone said they never experimented with such things they probably are lying. What makes the difference is that one's moral and ethical boundaries from within the minds eye must filter was is "right" and "wrong".

Doing something criminal already shows a breach of that. Why worry about trying to trust it. Of course, the best hackers don't get caught. You would never know them. You will never know of their work. Which means the hiring process is not perfect.

Like information security risk when hiring decisions are about risk MITIGATION.... not risk AVOIDANCE.

Good feedback here. And thanks for the comment.

It is up to the general public and the commercial customers to make a point of NOT purchasing goods or services from companies that employ people like Sven Jaschen. Simple as that. Do not buy Securepoint products. They will get the hint when their profits fall and their more ethical competitors clean up!
All the best.
Ray