Security News > 2000 > September > @Stake jilts Phiber Optik
http://www.securityfocus.com/news/79 The corporation formerly known as the L0pht courts Mark Abene, balks at his hacker past. By Kevin Poulsen September 1, 2000 5:12 AM PT When Mark Abene found himself being wooed last month by security services firm @stake, he didn't expect his hacker past from seven years earlier to come back to haunt him. After all, just last January a newly-minted @stake was basking in media limelight after announcing a merger with the group the company described as the "renowned hacker think-tank" L0pht Heavy Industries. So Abene was surprised when the company, which was apparently ignorant of his history when asking him to join its budding New York office, abruptly withdrew its offer in the final phases of hiring. As Abene describes it, the @stake recruiter tiptoed gingerly around the reason for the company's change of heart, before she finally explained in a voice dripping with contempt and finality, "We ran a background check." Whether @stake's investigation turned up the countless books and magazine articles written about Abene in the first half of the last decade, or the 1993 hacking conviction that landed him ten months in federal stir, the result was the summary rejection of the man once known as "Phiber Optik" by a company whose vice president of research and development answers only to "Mudge." Now Abene is crying foul, charging @stake with hypocrisy in a flap that highlights the ambiguities and conflicts that arise as hackerdom's Generation X moves into corporate career slots. "I see a rift generating," says Abene. "People who have been able to escape their teenage years unscathed have this elitism. They consider themselves better than other hackers who were unlucky enough to be prosecuted for whatever reason, or for whatever mistakes they made." Unlike Abene, and notwithstanding their underground image, none of the L0pht's members are known to have committed a computer crime. The group is generally regarded as a collective of "gray hat" hackers who publish programs that test network security, like the $100 L0phtCrack password cracker, and discover and publicize vulnerabilities in software products. They've claimed that they retain their handles, Brian Oblivion, Dildog, Kingpin, Mudge, Silicosis, Tan, and Weld Pond, not because they have anything to hide, nor to capitalize on the mystique hackers hold with the media, but because it's how they've always been known in the security community. (@stake declined comment for this story, except to issue a written statement saying that the company performs background checks on all new hires. Mudge did not return phone calls.) Abene, on the other hand, was renown for his unauthorized romps through telephone systems and packet-switched networks in the years before the Internet blossomed. Back then, he had a reputation as a non-destructive and mediagenic hacker who never concealed his actions; in the 1992 book "The Hacker Crackdown," author Bruce Sterling wrote of Abene, "Even cops seemed to recognize that there was something peculiarly unworldly and uncriminal about this particular troublemaker." His raid by the U.S. Secret Service was a focus of John Perry Barlow's "Crime and Puzzlement," the first manifesto of the electronic civil liberties movement. In the years since Mark Abene last used his handle, he's worked doing penetration tests for an accounting firm, and now heads a three-man computer security consultancy in New York called Crossbar Security, named for a type of vintage telephone switch. "The majority of the work that my firm has gotten has been through recommendations from other people," says the 28-year-old Abene. "We don't do any marketing or any publicity." As the head of a small business, Abene says he's doing "fairly well." But in the world of large security companies with millions in funding, his conviction may matter more. "It's definitely an interesting paradox in the industry now," says Space Rogue, who until last June was an employee of @stake's L0pht component and the editor of the Hacker News Network. "The mantra has gone from, 'we don't hire hackers'--because everyone does whether they know it or not--to, 'we don't hire criminals.' Which means as long as you don't have a criminal record, you're good." Indeed, there are few hackers from the eighties and nineties who can't rattle off a list of peers from the computer underground now working for top-name security firms. But confirming them without the paper trail of a criminal conviction is tricky--perhaps mercifully so for companies who need the talent. "That seems to be the one saving grace," says security consultant Chris Goggans, who freely admits to his own hacker past. "A lot of companies can hire these people and look the other way because they were never arrested." As "Erik Bloodaxe," Goggans was a member of the 80's hacker gang the Legion of Doom, and an Abene rival. But he was never prosecuted for a computer crime. "I look back and think, I was really, really lucky." Now, as director of operations at Virginia-based Security Design International, he says he'd have to turn away an applicant who'd been convicted of hacking. "For the kind of work that we do, if they had a past history of being convicted for any felony, I wouldn't hire them," says Goggans. "It affects a companies' errors-and-omissions insurance, whether they can be bonded, whether the applicant will be able to hold [defense] clearances." Even 20-year-old security wunderkind Marc Maiffret, "chief hacking officer" and cofounder of eEye, a California security software firm that recently raised a $5 million in venture capital, says he'd hesitate before hiring an ex-cyber-con. "If somebody does have something on their record, they need to be that much better," says Maiffret. "They need to be twice as good." Maiffret admits to a past that includes cracking Pentagon computers, but says he'd hire himself, because he is that good, and he's grow older and wiser since then. "That's stuff that happened, like, three years ago now." The reporter is a convicted hacker. Tips, feedback, flames? Email news () securityfocus com *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
News URL
http://www.securityfocus.com/news/79