In a recent BBC article, reputable security firm McAfee is quoted saying, “I’ve never hired computer hackers but that’s not to say I would never do that,” says Raj Samani, chief technical officer of McAfee Europe.
Wow, I thought. Really?
OK, I admit, hacker is one those terms whose definitions has blurred in the last decade.
It used to be generally accepted as a term for someone who broke into websites or databases, either to look around, change stuff, steal stuff, infected stuff, etc.
Today, its meaning is much broader, but you can generally divide hacker types into three groups. You have bad-ass hackers, referred to as black hats, and the good guys, like penetration testers, called white hats.
And don’t assume for a moment that there is not venn diagram of sorts, with a big fat grey hat area.
The hackers here don’t really sit firmly in either camp. Grey hats will typically break into a system, and alert the company to a specific vulnerability that they exploited. But grey hats often go public about the details of the vulnerability, and many argue that this tells black hats how to break in and cause havoc.
Question is should security companies who create and push out software to customers open their doors to people known to have dabbled in grey and black-hat hacking?
Customers build a relationship based on trust with security vendors. After all, customers who buy security solutions like anti-virus or anti-spam grant security companies access to update computers and devices.
In the same way that I want my bank to vet really closely who they hire, I want my security vendors to be really careful and only put the smartest, most trustworthy and most deserving of experts in the pit to help protect me from all the nasty malware out there.
And on a personal level, I hate the idea that people dabble with black hacking, knowing they will be hired at the end of it by a reputable security vendor. It seems just wrong.
What do you think?