Wouldn’t somebody who built a computer in 1978, knew how to amend its operating system in machine code, was able to extend its memory by piggybacking RAM chips, wrote his own Prestel terminal software in assembler, has worked on embedded systems including those used by police control rooms, and more, be suitable? No, 60 is too old for a computer expert, they are all children. Any “Lord” will be able to confirm this.

“Thanks for the mail, to be honest, my objection is not to reformed hackers working in IT security, my objection is to hiring people who have scarce had time to demonstrate reform to deal with SigInt of the very highest classification. I also get a bit exercised by the way the government is waving the “teenage hacker” and “former naughty boys” banner as if it gains them some kind of cool or credibility.

In all candour I would dispute your claim about the best hackers not being in it for the money. I think the burgeoning cybercrime industry amply demonstrates that there is a very large community of highly skilled hackers and coders in the direct employ of organised criminal enterprises. I can’t dispute that, of the hackers you have dealt with, those are your findings, but I am certain there is a larger silent majority of skilled malicious hackers than the less harmful ones you have trained.

The rehabilitation of offenders act certainly does encourage the rehabilitation of criminals, and so do I, I am definitely not of the hang ‘em and flog ‘em brigade. I do think though there are sensible limits that should be placed around permitted activities and permitted levels of clearance for certain crimes. Dealing with matters of national security should not be the province of “former naughty boys”.

I am sure some security companies do use former hackers as consultants, more often than not, former hackers go on to found their own security consultancy companies (Mitnick) and good luck to them. “The security industry” though, by which I mean vendors and manufacturers do not hire former hackers because we believe it both damages our credibility in the eyes of our customers and it sends the wrong signal “write a great piece of malware then come work for us”. I think the same should apply to national security.

Believe it or not, I don’t write for publicity or notoriety, I only publish blogs that I can justify and in which I fully believe. You might have noticed that I try really hard to stay away from pushing any kind of product on Countermeasures (unless it is free) because I don’t want the articles to be seen as having an alternative agenda.

Shame we can’t have this conversation on the blog though, maybe other folks would want to join in!

Cheers,
Rik
“

Kids are kids.