Career Insights with Upasana Gupta

Would You Hire a Hacker?

George Hotz, or GeoHot as he is commonly addressed in the hacking community, is best known for unlocking the iPhone and for publishing a "jailbreak" for Sony's PlayStation 3 gaming console.

Basically, Hotz purchased a Sony PlayStation and then found ways to hack into it - i.e.; 'jailbreak'. Later, he shared instructions and software tools on his website that helped other Sony PlayStation 3 owners modify their consoles to run unauthorized applications and pirated games. Hotz was accused by Sony of breaching the Digital Millennium Copyright Act and other laws.

And yet recently he was hired by Facebook as a software engineer to possibly boost the company's mobile efforts.

Which begs the question: Why would a security-savvy company hire a hacker - and would your organization do the same?

Marcus Ranum, CSO at Tenable Network Security, says that one needs to be careful about hiring a former hacker.

"What if the 'ex-hacker' is not so 'ex?'" he says. "The value of such an individual is going to be reduced by the extra care you'd need to invest in order to make sure they weren't on a reconnaissance mission, or leaving a backdoor through which to return."

However, Facebook's hiring of hacker Hotz as a software engineer is a unique situation, say some industry experts.

"This is a very different situation from remote computer hacking where data theft or system impact is the outcome," says Jeremiah Grossman, founder and CTO of WhiteHat Security. "Hotz has not hacked into an organization's computer system and been charged with a crime under the Federal Computer Fraud and Abuse Act."

Of course, Hotz was sued by Sony for the PlayStation hack, and the company claims that Hotz's jailbreaking ways have facilitated software piracy.

"I'd expect that Hotz's employers at Facebook have had a frank discussion with him about not doing anything that causes other large companies to sue Facebook," Ranum says. "They didn't hire him for his reverse-engineering and jailbreaking ability - they hired him for the smarts that his reverse-engineering and jailbreaking skills illustrate, and that's legitimate."

But worth putting the organization's reputation and clients at stake?

Remember 'Cap'n Crunch,' or John Draper, who became a legend for his hacking skills as a "phone phreak?" He spent three stints in jail in the 1970s for tampering with the phone system. He later went to work for Apple as a contractor and invented the EasyWriter, Apple's first-ever word processor. Draper was tolerated and even embraced in the high-tech business community then.

"In the past there was the opportunity to be a hacker, to do inappropriate things and then people would employ you. In the future that is not going to be the case, as neither the industry nor the buying community will accept individuals who have operated illegally," says Ian Glover, president of the UK's Council of Registered Ethical Security Testers (CREST), a global organization that assesses the skill and competence of professionals working in the penetration testing industry. "Also, attempts to professionalize the industry and encourage youth into the technical security industry are hampered by hiring individuals who have acted illegally."

I completely agree with Glover. If I hired a hacker today, there would always be that lack of trust and uneasiness to constantly verify their status and ensure they do not continue their rogue ways once they're a part of the development team.

And what happens if I make a wrong decision assessing the character of the individual? It's a total loss of my company's and my own credibility.

Abbas Kudrati, information security manager at the National Bank of Kuwait says, "I would be extremely worried hiring Hotz." He further adds, "The question is not hiring a good vs. a bad hacker; it is hiring of a hacker mindset, period."

I think it ultimately comes down to the cultural outlook, human resource policies and codes of ethical conduct within organizations that clearly dictate how much baggage and potential history is acceptable.

These are challenging times for security organizations, and individuals with the top skills are prized. But how far are you willing to go to fill a key role?

Is your organization willing to hire a hacker?

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.