|
Ellyne Phneah's article, Black hats can benefit firms but precautions needed, considers both sides of the controversial subject of hiring black hats.The arguments Ellyne elicits from Eric Chan, who suggests that this practice can be beneficial, and my reactions, follow: A pool of reformed hackers is available for hireThe article provides no evidence that the hacker community is in the throws of a moral reformation. Honestly, I'm not certain a reformation of this kind is all that attractive. In one possible scenario, the hacker admits to malicious, possibly criminal (possibly felony) acts. These admissions may result in arrest, prosecution, trial, and jail time. A second scenario is that some number of hackers already serving sentences claim they are reformed. In another scenario, a candidate interviews with you and privately discloses he is a black hat and describes his hacktivities. Work out the rest of this scenario for yourself. Are you comfortable with any of these scenarios? |
by PSD |
Hackers have experience or know the trade
These are ambiguous claims at best. I won't argue that elite hackers may indeed have a keen understanding of programming, operating systems, network protocols... Later in Ellyne's article, however, Richard George correctly points out that it is certainly possible to learn the same skills without breaking the law ( I make the same points in my Security Hats article). I am willing to concede that these are opposing views, but I know of no body of scientific data to support the claim that black hats know the trade better than white hats. I do know that reports of high profile security incidents demonstrate that certain black hats can successfully attack certain sites that are not adequately protected. I also know that black hat activities get better press and social media coverage than white hats. Do you recall the last time you read an article praising a white hat for having secured his shop so well that black hats turn away and look for lower hanging fruit?
Black hats add a dimension of expertise
The assumption that a certain dimension of expertise can only be acquired by hiring a black hat is curious. Chan explains that "A good hacker loves the challenge of finding vulnerabilities in networks and systems, and spends countless hours perfecting his craft and is hence competent at this role." I can characterize any number of security and operations staff I've had the privilege to meet and work with this way. More importantly, I can add "they act ethically and have never committed criminal acts."
Black hats are cheap labor
I am embarrassed for any security professional who would argue in favor of hiring hackers on the basis that "They could also be cheap to hire [compared to] computer science PhD holders." The truly elite and reformed black hat probably doesn't come cheap. Moreover, there are costs beyond the salary you pay the black hat to consider. For example, in the article, Chan stresses the need for background checks. A background check on a white hat is unlikely to require a costly and extensive investigation resulting in hundreds of pages. The equivalent check when investigating someone with a rap sheet can be very expensive (if you doubt this, visit the FBI Identification Record page). Next, add the cost of managing a probationary period Chan recommends. How does the cost-risk-benefit look now? These are the obvious tangible costs. We haven't yet considered the cost of managing (alleviating) concerns among business customers, peers, and partners to whom you should feel ethically obliged to disclose your hiring practice, much less attrition of customers, peers or partners who won't accept the risk your hiring practices pose to their businesses.
None of these arguments are new or convincing, yet we discuss this issue every time someone mentions hacking.
In Ellyne's article, Paul Ducklin asks a common sense question:
"Why would I want to bother in the first place?"
Why, indeed.
If you still need to be convinced, you may want to read to my reasons to avoid hiring hackers.
Comments