A couple of thorny ethical questions have raised their head recently, and like most of these things, figuring out what's the "right" thing to do has not been easy.
The first situation came out of an interview. It's a classic problem - one that I've heard asked as a hypothetical "what would you do?" in interviews for a management post - but it does happen, and it happened to us.
We've been searching high and low for a damn good sysadmin, without much success, for months. We finally found a candidate with all the skills and a great attitude, he would have been absolutely perfect for us... there was just one small niggle - in his younger days, he'd hacked into a major credit card provider. Not just for a look-see, either, he actually figured out a way to use people's credit card numbers without their accounts being charged, and used it.
He didn't really know how much he took in total, but in the end he turned himself in, and did hard time for it. Now a completely reformed character, he was looking for a job that used his obviously abundant skills in a positive way.
To his credit, he was very open about this, and he talked quite freely about it. We really liked him, and we were satisfied that he wouldn't be a security problem. However, then there's the matter of our customers.....
We do work for some pretty security-conscious clients. Some of them have US Top Secret classified projects. Although we were quite happy that this guy wouldn't be a security risk, would they be? We're a small startup, battling for contracts along with the rest, and it's hard enough at times to get big corporations to take you at all seriously even at the moment. Anyone who has ever jumped through the zillion flaming hoops that they put you through in order to get a whiff of business from these kinds of companies knows just how insane their security procedures can be. (I'm still smiling at the badge I had to wear on one site visit recently - big bold capital letters, red font -
"FOREIGN PERSON! ESCORT REQUIRED!") If one of them got wind of us having a genuine time-served cracker working for us, we'd be dead in the water.
In the end we had to make the uncomfortable decision that we couldn't hire this guy, despite him being one of the best candidates we've had. We're
still looking for a suitable sysadmin.
That was a few months ago. The second incident is much more recent - yesterday, in fact - and quite similar, it's kind of approaching the same question of reform and change, but from an opposite direction. Mind you, this post has gotten quite long, so I'll put that in a post of it's own.