"IBM would never consider hiring a reformed hacker. It would be like hiring a burglar to institute a burglar system on your house. You wouldn't do it." So said David Binney, director of corporate security at IBM, in Solar Sunrise, a video produced last year by the Federal Bureau of Investigation and the National Infrastructure Protection Center, ostensibly to deter people from hacking.

In Binney's view, hackers, like burglers, break in with the intent to steal. IBM won't hire you, he said, and neither will any responsible computer security firm. Hack and you'll never work in this town again.

Don't believe it, Binney. The town and the times are a-changin'.

Testing the thesis

A number of top-tier, high-profile firms feel differently about hackers. Evidence? Look at the recent joint venture among a group of hackers known as the L0pht, Compaq Computer and Forrester Research that involves $10 million in venture capital. There's nothing "reformed" about the L0pht; members wear the mantle of hacker proudly, says Space Rogue, a L0pht member in good standing.

Although not a hacker, reformed or otherwise, Steve Lutz, president of WaySecure Consulting, hires reformed hackers. His company offers a full range of computer security consulting, including evidence gathering, risk assessment, security testing and training. Among the hundreds of clients he and his hackers have served are Chase Manhattan, American Express, Morgan Stanley Dean Witter, insurance giant Transamerica, TIAA-CREF, the U.S. Navy and the U.S. Army - organizations with serious items to protect: money, stocks, bombs.

"I hired several hackers," Lutz says, "the most famous, perhaps notorious, being Mark Abene, a.k.a. Phiber Optik. I brought Mark into the security consulting world by hiring him when he was released from prison. He worked for me for about two years and then started his own company, called Crossbar Security. Mark is a perfect example of the nation's most feared hacker turning around and providing a valuable service to the commercial sector and reaping the rewards that go with it."

Lutz says hiring hackers as consultants can be "highly rewarding. This is true for both the clients we serve and . . . the hackers themselves. Many young, talented hackers are bored and looking for something to do. By providing them with a constructive objective and rewarding them monetarily, we help focus them in a positive direction that keeps them busy and out of trouble."

The idea, as Lutz sees it, is to manage them and teach them business skills, not banish or outlaw them.

Inquiring minds

Could Binney have had an ulterior motive for his statement? IBM has what it calls an "ethical hackers" unit that will, for $15,000 to $40,000, according to the company, "simulate a real intruder's attack, but in a controlled, safe way." IBM's Internet Security Assessments, for $40,000 to $200,000, will tell companies if their Web sites are vulnerable and, if so, shore the sites up.

I asked computer security people all over the Net what they would like me to ask Binney. But after initially agreeing to an interview on Feb. 8, Binney changed his mind and has since been unavailable for comment, despite numerous phone calls, messages and e-mails. The questions, though, have value in themselves.

Carole Fennelly is a security consultant and partner at Wizard's Keys, a Tinton Falls, N.J., consulting company specializing in computer systems security. Fennelly had three sets of questions: 1. If IBM doesn't use hackers for penetration tests, then what is so special about its test? If it is merely testing for known vulnerabilities using a package like ISS Scanner [which uncovers vulnerabilities likely to be exploited during attempts to attack a network and provides the necessary corrective actions], why should a company pay big bucks for that? Why couldn't companies just run the scan themselves? 2. Has IBM ever encountered a site with really iron-clad security? If so, what did IBM put in the report? IBM can answer that one without naming the company, just as physicians mask the identities of their patients, while still providing the data necessary for studies. 3. When IBM makes recommendations, does it refer the client to a vendor with which it has a partnership? Does it offer to do the work itself? They're not using the audit as a marketing opportunity, are they? Audits can be legitimate opportunities for a company to prove its worth to the client. It can also become a con job targeting overworked and understaffed technical administrators.

Sage security advice

Matthew G. Devost, a senior information security analyst at Security Design International, a firm providing security consulting services to international corporations and governments, warns against using large firms that offer prepackaged security solutions. "With large consulting or product companies, the security consulting team is often used as a mechanism for pushing other products or services," Devost says.

He also cautioned against an assessment team that benefits from future product sales or follow-up implementation support. "Pay close attention to methodology," Devost says. "If a company offers a quote without first understanding your network, their assessment can't really be trusted."

Other things that don't bode well, Devost says, are the use of a single commercial product or reliance on assessment tools. Devost says customers should check the qualifications of the security team. "Will the names provided be directly involved in your assessment? Beware the bait-and-switch technique, where a team of senior security engineers is offered up, but replaced by a team of recent college graduates at the last minute."

Cast a wide net, Devost says. "There are a hundred reasons why you should avoid using a large consulting company to perform a security assessment . . . [which] will become apparent only when you broaden the spectrum of firms you solicit for quotes. Pay very close attention to the technical substance of their proposals."

So, contrary to what Binney said, with all the problems around the Internet - denial-of-service attacks out of nowhere, computer malfunctions and software vulnerabilities - there is a growing market for reformed hackers, one that's lucrative and fun and, best of all, legal.