Feeds

Web maven gives convicted botmaster keys to new kingdom

Mahalo.com embraces Acidstorm

Boost IT visibility and business value

For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis.

For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the rogue employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.

"After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison," Calacanis told The Register. "We've made a point of supervising him and I talk to him on a daily basis."

On Wednesday, a federal judge sentenced Schiefer to serve four years in federal prison and pay $20,000 in restitution and a $2,500 fine. The hacker, who went by the names Acid and Acidstorm, has been given 90 days to surrender to prison officials.

Schiefer's employment with Mahalo exposes an interesting quandary over the roles redemption and accountability ought to play when hiring employees for sensitive IT positions. Schiefer admitted to pilfering hundreds of thousands of online banking passwords, wielding a 250,000-strong botnet and even illegally accessing computers belonging to customers of his former employer, Los Angeles-based 3G Communications.

At the same time, convicted computer felons such as Kevin Mitnick would suggest that criminal hackers can go on to be trusted security consultants. After spending five years in jail for a two-and-a-half-year hacking spree, Mitnick went on to found a private consulting business and regularly speaks at security conferences attended by people in the private sector and the federal government.

What makes two security consultants we spoke to uncomfortable in this case is two things: that Mahalo executives never bothered to perform a background check on Schiefer, and that so little time has passed between his conviction and his employment.

"It's standard operating procedure to give people background checks," said Thomas Ptacek, a researcher at security provider Matasano. "I would say that in any industries we work in, if you were a convicted or well-known botnet operator, that would be an issue for everyone."

Calacanis said Mahalo's hiring process is rigorous, but in the case of Schiefer, Mahalo's CTO and long-time Calacanis friend Mark Jeffrey "made a mistake and didn't Google" the employee before offering him a job. Once the error came to light, Mahalo execs decided to allow Schiefer to continue his employment.

Calacanis and Jeffrey have since put their own reputations on the line by vouching for Schiefer's trustworthiness. "In the time that I've known John, he has been a model employee, and indeed, a model human being," Jeffrey wrote in a letter submitted this week arguing Schiefer should not be sentenced to prison. "I would hire him again in a second."

Asked how they can be sure Schiefer is reformed even before he's served a day in prison or paid a dime in restitution, Calacanis said: "I think I know the difference between someone who is extremely malicious and looking to destroy people's lives and steal a bunch of identities and somebody who is maybe too intelligent and curious for their own good. I think that's the case here."

Aggravating factors

It would seem Calacanis didn't read the documents filed in Schiefer's extensive case history. Court papers cite a variety of aggravating factors, including "bullying" underage accomplices to use his botnet software to steal people's personal information. "Quit being a bitch and claim it," Schiefer told a juvenile apprentice named Adam, according to court documents.

He similarly goaded a hacker named phr33k to "rape" the IP address of a target by launching DDoS, or distributed denial of service, attacks and later bragged the he made "more money on bots (infected computers) than people do with legitimate jobs," according to an declaration filed in the case. In addition to selling and giving away pilfered usernames and passwords to cohorts, he also personally used stolen PayPal accounts to buy domain names, according to a plea agreement signed by Schiefer.

Without a doubt, reformed criminals should be given the chance to become productive members of society, but the facts of the case mean that Schiefer's employment at Mahalo is probably a bad idea, said Tom Parker, director of commercial security services at Securicon.

"When the crime is so recent and the person has a history of abusing the trust that they have with their employers, it's a different story," Parker said. "The purpose of going to jail is punishment where you reflect on the bad things you've done and set a new course for yourself. He's obviously not had a chance to do that."

Calacanis said the amount of damage that Schiefer could do is limited. The site offers content for free, doesn't collect sensitive user data, and all user passwords are encrypted, so they can't be viewed by employees, he said.

"The risk is that he damages us and that was a risk I was willing to take," Calacanis said. "If we were PayPal, he wouldn't be working there."

But Ptacek isn't so sure and he points to the regular abuse of content websites by cybercriminals to propagate malware.

"The compromise of one of those sites is part of the botnet food chain," he said. "It's not as if there's no relation between a large content site like Mahalo and the damage caused by a botnet." ®

This story was updated to correct the spelling of Mahalo CEO. It's Calacanis.

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?