Ex-hackers 'rubbish at security'

Companies should stop hiring hackers to beef up security - not for ethical reasons but because they are no good at it, according to experts.

Delegates at the RSA Security Conference in Amsterdam heard a panel of reformed hackers, police officers, members of the legal profession and corporate security experts launch scathing attacks on the abilities of most hackers.

The skills that make a good hacker are not the same as those required by an IT security officer, delegates were told.

"Everyone thinks that if you know how to break into a system then you must know how to protect one. It's rubbish. I could teach a monkey to break into a system in four hours," claimed Ira Winkler, chief security strategist at Hewlett Packard.

"While there are highly skilled technical hackers out there, they are the ones you never know about because they don't get caught."

But most hackers are IT professionals in their 20s and 30s, suggesting that companies may be late in their realisation that cyber-poachers do not make good cyber-gamekeepers.

"Why would you want to employ a hacker with a criminal record, i.e. someone so bad they'd been caught?" asked Tony Neate, industry liaison officer at the National High Tech Crime Unit.

"After all, if a bank is looking to employ a security guard they don't try and find a former bank robber to guard their safe. Companies must be sure that they know their staff's backgrounds."

Checking employees was highlighted as essential, but there was a gap in the law as juvenile criminal records are sealed when the perpetrator reaches adulthood.

But a quick search of the internet using a web or newsgroup search engine should reveal details of a person's hacking history, if it exists.