I don't subscribe to the train of thought that the best security specialists are ex black-hats. Mainly because most black-hats are only out, open about it, because they have been caught. IMHO this doesn't make them good it just goes to show that they are rather poor at it. They did get caught right?
Though they would never admit it, I imagine that most of the best white-hats / security specialists I have known have likely wore a black-hat at some point in their past.
Just as I would state that the best computer scientists are those that grew up with a curiosity and interest in computing that cannot be extinguished one has to have the ability to put themselves in their opponent's mindset (the white-hat in the mind of the black-hat) or they won't be very successful.
I have done so much information / network security tasks combined with countless internal security audits (Sarbanes, etc) that I cannot connect to a network or walk into a new building without thinking about how one would theoretically subvert the systems in place. This doesn't mean I am acting on this knowledge but I would say it is a switch that gets turned on in the best security professionals that cannot be turned off. I'll meet someone at their office for the first time and find myself saying something like: "Physical security is terrible here, why would anyone waste time hacking into a network located in this facility when they could just walk right through the front door?" This is constructive criticism, though I shouldn't be giving away my knowledge as doing so reduces the perceived impression of the value of people in my profession.
I was working on Bank of America's firewall team, early in my career, and a potential candidate had made it past our teams rigorous technical screening and though maybe unknown to him he was going to be offered the job, as he had impressed us with his knowledge, and the meeting with our manager that turned into lunch with the team was just a formality. That was until during lunch when he openly stated "He had worn so man color hats, white, black, gray that he often gets confused on which he is currently wearing." We all looked at one another and sighed because we all knew such a statement had made him ineligible for the position. We were not upset that we might have hired a former black-hat but rather disappointed that he was so naive about the environment that he would openly state such a stupid declaration in front of us and our manager. If he were experienced enough to realize his mistake before making it he would have likely been a valuable member of that team.
It's like a television show called MasterMinds on the History channel that shows supposedly criminal master-minds, the details of their crimes, and the story of how they were eventually caught. I wouldn't call any of these people criminal master-minds. A show about criminal master-minds would not be that entertaining because they would say this is how it was concluded that a crime had been committed, if they could even determine that, and then they would explain how they don't know how the crime(s) were committed, and that the unknown suspects have yet to be identified. This is because a true criminal master-mind would have never been identified and the crime would be so unique as to defy description.
I tried to explain to a close-minded information security professor, during my Masters program, that going through detailed descriptions of known security exploits was a waste of time. I tried to no avail to explain that known (named) security exploits posed no threat, as they would have a countermeasure in place already and that the real risk was security exploits that have yet to be identified because their is no current countermeasure for them. I suggested that discussing the inherent security risks of deploying UDP on a network, for which I later wrote a research paper, or similar such topics would be a better use of our time. Rather than taking advice from a graduate student, the professor instead had us start breaking down the code-red worm in detail.
So, was it wrong for the prison to employ a known cyber-criminal to deploy a security system for which he would be part of the population the security system was going to attempt to control? Absolutely! Employing any of the prisoner population would be absurd! He demonstrated two things 1) He has skill beyond those that allowed him access and 2) He once again, just like when he was caught committing his previous cyber-crime(s), demonstrated that he still had lots to learn or the compromise of the system would have never been identified or it would have only been found once it was too late. I would call this cyber-criminal a script-kiddy at best implementing only ideas and concepts, for which he did not completely understand, designed by more skillful engineers that had come before him. It it sad that our society must make such distinctions but we all agree that being a black-hat is a bad thing but to be completely honest we must admit that it is worse to be identified as a black-hat than actually being one.
If I were brought in after to clean up after this mess I wouldn't have took the time to determine how many levels of passwords that the cyber-criminal had put into place. From experience I would have simply reset all the equipment back to factory defaults and after determining that no further tampering was present (bios modifications, etc) then I would start from the beginning (or even better yet abandoning the system in total because a prisoner has known intimate knowledge of it). Doing anything else would only allow for the potential of segments of malicious code being undiscovered. The reason for this is that I would be placing my mindset into that of the worse black-hat I could imagine, likely a much more skilled one than this so called cyber-criminal. What it comes down to is that in general criminals are stupid. If they were smart they likely wouldn't be identified as criminals or even more likely they would realize that crime more than often does not pay, or should I say does not pay enough... I have walked down corridors in my career lined with NIB million dollar Sun Microsystems servers (e10,00s.... etc) that I could have surely put a plan together that would have allowed me to move many of these systems from my employer's possession into my own... with little to no risk to myself. But in balance with that risk, regardless of how manageable, such an act would have never been worth the potential lose of my job and / or career. So, I am not a criminal and for not only reasons including and beyond the moral and ethical implications but for many contributing factors that culminate in the basic understanding that it is just not worth it. My reputation is priceless and therefore not up for negotiation, even with myself. But, I'm not a stupid criminal!
So, would I be upset if I found out that I had hired a black-hat to work for me in high level security position? Of course, but if I had a highly intelligent former black-hat working for me and I never discovered any evidence of their previous nefarious past then he/she deserves the job in my eyes.
Is it our past or our current behavior that defines us? What would Jesus do?
Nick Powers