Basically, Hotz purchased a Sony PlayStation and then found ways to hack into it - i.e.; 'jailbreak'. Later, he shared instructions and software tools on his website that helped other Sony PlayStation 3 owners modify their consoles to run unauthorized applications and pirated games. Hotz was accused by Sony of breaching the Digital Millennium Copyright Act and other laws.
And yet recently he was hired by Facebook as a software engineer to possibly boost the company's mobile efforts.
What if the 'ex-hacker' is not so 'ex.'
Which begs the question: Why would a security-savvy company hire a hacker - and would your organization do the same?
Marcus Ranum, CSO at Tenable Network Security, says that one needs to be careful about hiring a former hacker.
"What if the 'ex-hacker' is not so 'ex?'" he says. "The value of such an individual is going to be reduced by the extra care you'd need to invest in order to make sure they weren't on a reconnaissance mission, or leaving a backdoor through which to return."
However, Facebook's hiring of hacker Hotz as a software engineer is a unique situation, say some industry experts.
"This is a very different situation from remote computer hacking where data theft or system impact is the outcome," says Jeremiah Grossman, founder and CTO of WhiteHat Security. "Hotz has not hacked into an organization's computer system and been charged with a crime under the Federal Computer Fraud and Abuse Act."
Of course, Hotz was sued by Sony for the PlayStation hack, and the company claims that Hotz's jailbreaking ways have facilitated software piracy.
"I'd expect that Hotz's employers at Facebook have had a frank discussion with him about not doing anything that causes other large companies to sue Facebook," Ranum says. "They didn't hire him for his reverse-engineering and jailbreaking ability - they hired him for the smarts that his reverse-engineering and jailbreaking skills illustrate, and that's legitimate."
But worth putting the organization's reputation and clients at stake?
Remember 'Cap'n Crunch,' or John Draper, who became a legend for his hacking skills as a "phone phreak?" He spent three stints in jail in the 1970s for tampering with the phone system. He later went to work for Apple as a contractor and invented the EasyWriter, Apple's first-ever word processor. Draper was tolerated and even embraced in the high-tech business community then.
"In the past there was the opportunity to be a hacker, to do inappropriate things and then people would employ you. In the future that is not going to be the case, as neither the industry nor the buying community will accept individuals who have operated illegally," says Ian Glover, president of the UK's Council of Registered Ethical Security Testers (CREST), a global organization that assesses the skill and competence of professionals working in the penetration testing industry. "Also, attempts to professionalize the industry and encourage youth into the technical security industry are hampered by hiring individuals who have acted illegally."
I completely agree with Glover. If I hired a hacker today, there would always be that lack of trust and uneasiness to constantly verify their status and ensure they do not continue their rogue ways once they're a part of the development team.
And what happens if I make a wrong decision assessing the character of the individual? It's a total loss of my company's and my own credibility.
Abbas Kudrati, information security manager at the National Bank of Kuwait says, "I would be extremely worried hiring Hotz." He further adds, "The question is not hiring a good vs. a bad hacker; it is hiring of a hacker mindset, period."
I think it ultimately comes down to the cultural outlook, human resource policies and codes of ethical conduct within organizations that clearly dictate how much baggage and potential history is acceptable.
These are challenging times for security organizations, and individuals with the top skills are prized. But how far are you willing to go to fill a key role?
Is your organization willing to hire a hacker?