CALIFORNIAN resident Kevin Mitnick is the worlds most famous computer felon. His two decades of hacking into computer and phone systems have earned him five arrests and after the last, in 1995, which followed two years on the run from the FBI in which he continued to ply his trade, he was sent to prison for five years. Agents finally caught up with him as he was breaking into the San Diego Supercomputer Center.
But Mitnick is now 39 and apparently a reformed character with a new career as a computer security professional a classic instance of poacher-turned-gamekeeper. Since walking out of Lompoc prison, central California, two years ago and into supervised release, he speaks on the lecture circuit at computer security conferences and has hosted a weekly radio show in Los Angeles called The Dark Side Of The Internet. When his probation ends in six months time, he wants to start his own computer security firm.
Mitnicks conversion is not untypical. Before Steve Wozniak became rich by co-founding Apple, he was a phone phreaker, a 1970s precursor of todays hacker, duping phone systems into placing free long-distance calls. Wozniak was a disciple of the infamous John T Draper, aka Captain Crunch, who surfed the phone lines simply by blowing a toy whistle into the receiver. Draper, too, now runs his own California computer security firm.
Then there is American Kevin Poulsen, who also went to prison but is now editorial director of a leading security informa-
tion group called SecurityFocus.com; and Robert T Morris, imprisoned 10 years ago for unleashing a virus while a graduate student at Cornell University. Morris became an internet millionaire when Yahoo acquired the Cambridge, Massachusetts, web company where he went to work after his release.
The list goes on and raises an obvious question: should computer businesses entrust their security to former hackers? The facts are that, because these individuals know the secrets of cyber lock-picking and understand the criminal mind, corporations and law agencies are now shamelessly wooing them. Information technology systems are more than ever under threat. Reported cyber crimes cost US businesses $456m last year, according to a joint survey by the FBI and the Computer Security Institute, an industry association and many cyber attacks go unreported. In the UK last year, 44% of businesses suffered some kind of security breach, according to a DTI report, and the average damage per break-in was pound sterling30,000 (E48,000). Moreover, experts fear that information networks are soft targets for terrorism.
Information security groups are running in place just to keep up with the how to guides freely posted by hackers on about 4,000 websites, according to Austin Wright, senior UK technical manager for US security firm WatchGuard. So why not tap someone with a dubious past who says he has changed his ways?
Although many computer security firms have strict policies against hiring former lawbreakers, they acknowledge the fine line between the straight and the so-called curious security specialist. Its hard to find a computer security organisation without a few curious types on the payroll.
Take, for instance, Internet Security Systems (ISS), a $223m firm based in Atlanta, which specialises in spotting weaknesses in a companys information systems. Its employment roster is a roll-call of upright citizens. Division chiefs include a former US green beret, an FBI agent and a US military intelligence officer who boasts Desert Storm and Vietnam on his cv. In its daily fight to make the world safe for zeroes and ones, ISS deploys units with names such as X-Force, the Special Operations Group and the Internet Threat Intelligence Centre. …