Hackers aren't criminals -- they're the best kind of security LAIRD BROWN Tuesday, August 15, 2000 Victor Keong, a computer security specialist with Deloitte & Touche, recently advised us in this column not to hire hackers (Don't Hire DefCon Hackers -- Aug. 8). Specifically, we shouldn't hire hackers who attend DefCon, the world's largest hacker convention held annually over the past eight years in Las Vegas. We should hire Mr. Keong and others like him, he says, because he is not a hacker, nor does he have body piercings, dye his hair blue, or use a pseudonym. Forgive me for not taking his advice. Mr. Keong, I'm certain, is a very competent security professional. He is not, however, very well attuned to the hacking community. His commentary read like a cautionary tale against hiring accountants from the Mafia. It's good advice, if he had all of his facts right. But since he mentioned by name someone whom I have just hired, I would like to correct some misperceptions. Some hackers use handles, as do rappers and CB radio operators. Big deal -- it's a cultural thing. And Mudge, one of the world's most famous computer security experts, uses one too. I just arranged for Mudge to serve on our technical advisory board, along with two other hackers Dildog and Reid Fleming. But back to Mudge. He's an A-list hacker -- he's not a criminal, an amoral supergenius or an irresponsible person. He is -- the singularity of his name notwithstanding -- the founding director of the Lopht, a hacker think tank in Boston; an adviser to U.S. President Bill Clinton on Internet security; and, vice-president of research and development for @Stake, a company dedicated to securing the Internet economy. Interestingly enough, Mudge and Mr. Keong compete for many of the same clients, although I'm willing to allow that Mr. Keong might not have known this. So what exactly is a hacker? First, let's define what a hacker is not. A hacker is not a criminal. The people with funny names who are arrested for stealing credit cards or shutting down Yahoo are not hackers. They are criminals. Other people with funny names who advise the president of the United States, NASA, and various three-letter agencies, are not criminals. They are computer security professionals. Granted, not everyone who attends DefCon has a client list like Mudge's, but some approach it. DefCon was originally organized to put hackers together with law enforcement. In fact, one of the most amusing parts of this convention is the "spot the fed" contest. This is a game in which feds who try to attend covertly are publicly outed. It's all in good fun, and in fact, the feds love it. They come to DefCon to learn alongside the hacking community about the bleeding-edge exploits that will haunt Internet security. They also show up to do some recruiting, unlike Mr. Keong. The feds have learned something that business would do well to emulate If you want to catch a cracker, you'd better hire a hacker. Playing on stereotypes does not advance public understanding of the hacker community. Of course, many DefCon attendees do fall into the Hollywood cast of hacker misfits. But the majority of people whom I trust and know well evade such convenient labelling. My only disappointment with DefCon this year was that two hackers whom I wanted to hire are currently unavailable. Perhaps if I toss some body piercings and tattoos into the employment package, they might take me up on the offer. Laird Brown is the minister of information for openCOLA, an open-source development company based in San Francisco and Toronto.