Update: It seems like the initial article is inaccurate and that Paul Rellis never made any such comments about a 14 year old breaking into the X-Box live servers and have not offered to mentor him http://kotaku.com/5805742/microsoft-is-helping-an-xbox-live-hacker-develop-his-talent
TekGoblin reports (http://www.tekgoblin.com/2011/05/27/14-year-old-call-of-duty-hacker-hired-by-microsoft/) that a teenager who broke into the Call of Duty Modern Warfare 2 gameservers last month, has been hired by Microsoft. According to the article, Microsoft confirmed that they will work with the 14 year old to “develop his talent for legitimate purposes”.
This is bound to generate some controversy, if not downright hostility, in the security community. Perhaps particularly so in the anti-malware community where there has been a pretty strong self-enforced prohibition on hiring anyone who has ever had any involvement in virus writing. This was for good reason – it’s partly to show the world clean hands (helping to quash the stupidly illogical but persistent myth that the industry writes the viruses), but also to acknowledge that the skills needed for writing malware are very different than those needed for writing anti-malware products. Being a malware writer has never been a particularly difficult job; judging by the majority of poorly written, buggy and badly tested pieces of code we see every day; whereas writing an antivirus system necessitates a highly focussed, quality driven approach that requires fast thinking, low level systems knowledge and a fanatical dedication to avoiding problems like false-positives and/or crashing, slowing down, or otherwise impacting our cusomers’ systems and data.
But what about in this case? Is it really so bad that a company would try to engage with a young man who has shown that he has some degree of technical knowledge, and is interested enough to try to work his way around system security. What are the options here?
A hard line, more conservative approach would be to suggest some punitive measures – perhaps banning the perpetrator from the network, or even attempting some sort of prosecution (though against a minor, this would probably be difficult). The idea is to send a strong signal to like-minded individuals that this sort of behaviour is always intolerable, and that serious consequences will result. But where does that leave the child in question?
14 year old boys (though I’m aware that there are female hackers and gamers, in this case the article is about a boy) already face a host of problems – raging hormones, insecurity about their developing bodies, enormous peer pressure to be ‘cool’ and ‘fit in’, rampant curiosity, an urge to ‘win’ and all the other traits with which a few million years of evolution have served to equip them. It is also a time when moral character develops and hardens, along with interests that are likely to funnel into later career choices.
A more liberal view might be that, since the child has expressed interest in computer security (by subverting it), this could likely be channeled if the more antisocial behavior is nipped in the bud. The article isn’t clear on the circumstances of the ‘hire’* but one suspects that the conversation went along the lines of “What you’ve done is very likely to end up with you in court, losing access to your computer/X-Box/Playstation etc. and being ostracised (yes, 14 year old boys do know what that means – some all too well) by the security community and you could get a huge fine. Or, you could let us help you learn in a safe and controlled environment, and you’ll learn how to direct your skills to helping secure and protect systems so that in future your skills will be useful to us, rather than landing you in further trouble.”. This is the sort of ‘value proposition’ that would make sense to a 14 year old. In my experience, young teenage boys are motivated by achievement (why else would they spend hours trying to level up in whatever computer game they happen to be playing or want to be on the winning sports team), and punitive measures taken against misdemeanors can often be a way to encourage further rebellion. Pushing the boundaries is a natural part of teenage life, and unfortunately it does lead, at times, to criminal behaviour – the question is whether we want to fill more jails, or educate and correct where possible.
It’s difficult to really judge Microsoft harshly for this action (though I’m sure many will happily do so); my personal feeling is that they could be on to something with this approach. No, of course they don’t want to encourage every young kid to try to break into their systems in the hope of getting a job, but the reality is, most kids do just want to play the games, and don’t have the interest or skills to do what this young man did. If it’s a choice between driving a curious kid into an isolated and angry state where long term he might find refuge in the ranks of the black hat community, which will surely welcome him with open arms, or engaging with him by trying to correct his moral compass and direct his skills to more useful pursuits, I actually think that the latter is ultimately the better choice. Certainly, if the kid decides that, having learnt what he can from Microsoft, he should to go back to criminal pursuits, by all means call in the uniformed officers and take punitive action. There’s a huge difference between a 14 year old child on the cusp of adulthood (don’t you remember all the stupid stuff you did when you were 14?) and a responsible adult – that’s why the law treats children differently, even in the most serious crimes.
I’m not condoning breaking into systems – and I’m pretty sure the kid was made very aware of the parlous state of his future when he was approached by Microsoft (can you imagine that phone call?). If it was my kid, I’d be pretty angry about what he’d done, but, as a parent (of a 14 year old), I am aware that education (constant and consistent) is the best approach to correction, and also that 14 year old kids, while they often do stupid things, also have the capacity to do amazing and inspiring things when they’re motivated – so I’d also be grateful to Microsoft for taking this approach. What I’m actually condoning is education tempered with disciplne – the classic ‘carrot and stick’ approach, which has been the staple of parenting since time immemorial.
On a wider point, it would be great to start to see ethics and security taught side by side with IT skills in schools and I know that Microsoft, in common with many other IT companies, are heavily involved in investing in promoting education (for instance they are board members, along with ESET and others, of the National Cyber Security Alliance). I, for one, think it’s good to see them put this in action to try to redirect at least one young man away from a path which might well lead to more problems (for us and for him) further down the line. Of course, this won’t stop the debate from raging, and I’m sure Microsoft are well prepared to take some flack on this issue.
* It’s not completely clear that it’s actually a hire, it’s stated as ‘working with’ – which could have a range of meanings up to and including involuntary attachment to avoid the sort of punitive measures stated above – i.e. work with us, or understand that you’ll be more severely punished for what you did
Author Andrew Lee, We Live Security