Kevin Mitnick, the world's most famous cyber criminal, wants to work as a computer security professional, helping businesses guard their computers from perpetrators. But he faces at least one problem: after five years in US federal prison for unauthorised hacking, the terms of his conditional release prohibit it.

That will change when he becomes a completely free man in January 20, 2003. He is confident he will hit the ground running. "I'd like to start my own computer security company," says Mr Mitnick, 38, speaking by phone recently from his suburban Los Angeles apartment. "It will be ready to go when I get off supervised release."

Mr Mitnick's plan raises a vexing question: should computer break-in artists work in computer security? What is to prevent people such as Mr Mitnick, a chronic offender who was arrested four times before his 1995 arrest, from doing it again? On the other hand, is anyone better qualified at protecting a computer operation than the people who know the illicit entrances?

Certainly, many notable hackers have gone on to credible fame or fortune in computer security or related fields. Steve Wozniak, the co-founder of Apple Computer, spent his early years scamming free long distance calls in a forerunner of today's computer network break-ins. Mr Wozniak learned at the knee of "Captain Crunch", aka James T. Draper, who runs his own California security company, Shopit.

Freed US felon Robert T. Morris became an internet millionaire in 1998 when Yahoo! acquired a web company for which he worked under a pseudonym.

Kevin Poulsen, who like Mr Mitnick spent five years where the food is not so good, is the editorial director for a leading security information group called SecurityFocus.com.

In the UK, Robert Schifreen, whose late 1980s break-in of Prince Philip's electronic mail led to the Computer Misuse Act of 1990, speaks on the lecture circuit and writes for Computing and other publications from his home near Brighton.

Many computer security companies say they will not hire hackers with a questionable past. But they do hire individuals they call "ethical hackers" who are skilled at penetrating their clients' systems to expose weaknesses.

Aled Miles, northern European managing director for Symantec, the US security software and services vendor, rejects the notion that underground hacker circles make a good recruiting ground.

"There is this romantic idea that former hackers make good security programmers, or that 'black hat hackers' are better than others," he says. "It's really the ability of one computer programmer over another. We have people who have deployed their skills in the right way."

Abilities

Furthermore, most underground hackers are not very good at what they do, says Kenneth De Spiegeleire, head of European, African and Middle Eastern assessment services for ISS, the Atlanta-based security company. This is because many simply use virus and hacking tools that are freely available on the web.

"Ninety five per cent of hackers are completely useless," says Mr De Spiegeleire. "They know how to use the tools, but in originality, they are useless." Graham Cluley of UK-based Sophos Anti-Virus calls this "point-and-click virus writing."

The remaining 5 per cent represent a pool of potential security superstars, but it can be difficult to distinguish between good and bad. Hacker conferences draw a mix of legitimate security professionals and individuals who could be easily mistaken for Darth Vader's systems consultant.

Indeed, trustworthy hackers are "as rare as hens' teeth" says Geoff Davies, managing director of I-SEC, a small UK-based computer security company.

He adds: "You have to spot them where you can, and then, pay a fair few quid to get them."

One place to look for reliable security technicians is at companies such as Microsoft, Cisco, Novell and Sun, according to Mr De Spiegeleire of ISS. Hackers target the computer operating systems and network protocols that these companies produce (the recent "Code Red" virus aimed at the White House sought Microsoft operating systems), so developers from these companies can potentially help guard against penetration.

These professional developers tend to have a more appropriate, team-oriented work ethic, rather than being "lazy with over-inflated egos," he adds. Another source for talent is law enforcement agencies.

Whether security companies find their job candidates near an executive water cooler in Silicon Valley or on the Vegas strip, background checks are in order. These can range from stringent interviewing and personal reference procedures to criminal scans with law enforcement agencies.

Ask long enough at many computer security operations, and you will find coy acknowledgment that not everyone on board has an antiseptic past. At IBM, a security analyst who simply goes by the name of Paul euphemistically says unauthorised hacking was his "hobby" in the 1980s, before the Computer Misuse Act of 1990 made it explicitly illegal.

Chris Noble, an "ethical hacker" with Authoriszor, a UK-based computer security company, describes his own background as "being very curious...and hanging around with strange people who showed me things".

Many security pros might have dabbled in illicit hacking at university, where the camaraderie of computer departments encourages students "to see what they can get into," notes Bill Pepper, head of security risk management for Computer Sciences' UK arm. The trick is knowing where to draw the line.

"It would potentially cause problems with some of our clients if we were to hire Kevin Mitnick," he muses.

Mr Mitnick need not apply at CSC. For now, he will have to stick with his occupations of speaking, writing and hosting a weekly talk radio show in Los Angeles.