When you say that your friend “spent his early career hacking into government agencies’ systems,” you sort of imply that he was being paid to do this. If it was legitimate work, then that’s just another penetration testing job, and I would say more power to him, particularly if he’s getting paid big bucks! If it was not legitimate work and he wasn’t being paid, then it could range from simply mischievous behavior to a relatively minor offense or misdemeanor. This is by far the most common case in conversations like this. Again, I don’t know your friend, but many non-technical people have computer literate friends who dazzle them with fish stories about incredible feats of computer security. I’ve heard some rather preposterous tales, and although I have become rather skeptical about the stories, I would not consider telling such tales disqualifying in terms of employment.

Of course, it is also possible your friend did some more serious “grey hat” sort of activities. A good example of this is Christopher Soghoian’s boarding pass incident. Was it strictly legal? Yes. Was it ethically dubious? That’s another question altogether. More importantly, is this the sort of thing I’m talking about in this post? No. I’m talking about actual criminals — people who have chosen to willfully violate the law and commit crimes for money or power. These are people who are doing it for a living, either to get rich quick or as a day job. I very strongly suspect that this does not describe your friend, who may fall into the “grey hat” category at worst.

Now, if your friend was an actual criminal who sought to make a career out of computer fraud, I would find it extraordinarily hard to hire him to do computer security work, particularly if he was charged, tried, and convicted for computer fraud. This should be obvious. There are simply too many good people out there without the criminal baggage.

Thanks for the comment! I really should have been more clear about that in the post.