Spies Recruit Hackers – Hype Or Sense?

SA is said to be looking for new hires at DefCon – according to SC Magazine. This seems to have become a fashionable thing to do: last year, GCHQ in the UK launched a similar initiative. But is this actually effective? I wonder what type of person gets attracted by this and who these geeks are actually able to protect us against. Are we expecting protection from other hackers who share their new Flash exploit with their colleagues, or determined attackers who can combine a number of techniques to get inside large computer systems to hit where it really hurts?

My hunch is that a typical hacker is a person who has a passion for technology and is willing to spend many hours on what might appear to be a “meaningless” problem just because it is bugging him (it is stereotypically “he” but I admit girls can be damn good at it too). Hackers tend therefore not to be very sociable and as a result the one thing they tend not to do very well is reason about security in the context of broader system architectures.

This has two main implications. The first one is that many interesting and perhaps very practical hacks end up pretty much ignored by security managers at corporations. Their focus reflects their experience of project implementation. They extrapolate this to how hard it might be to successfully coordinate an attack through several layers of defenses, and gain false confidence about the overall health of security. A small hole in the boundary wall doesn’t raise an alarm in the fort.

The second point is that hackers do not tend to think about the overall security of systems but mostly about the security of individual system components. This makes it more difficult for them to argue that a potential attack is significant. They can see the immediate effects of the exploit but they may find it difficult to extrapolate this to what it means for a system as a whole.