Web maven gives convicted botmaster keys to new kingdom
Mahalo.com embraces Acidstorm
Posted in Enterprise Security, 5th March 2009 21:58 GMT
Free whitepaper – Solid State Drives and High-Speed Memory
For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis.
For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.
"After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison," Calacanis told The Register. "We've made a point of supervising him and I talk to him on a daily basis."
On Wednesday, a federal judge sentenced Schiefer to serve four years in federal prison and pay $20,000 in restitution and a $2,500 fine. The hacker, who went by the names Acid and Acidstorm, has been given 90 days to surrender to prison officials.
Schiefer's employment with Mahalo exposes an interesting quandary over the roles redemption and accountability ought to play when hiring employees for sensitive IT positions. Schiefer admitted to pilfering hundreds of thousands of online banking passwords, wielding a 250,000-strong botnet and even illegally accessing computers belonging to customers of his former employer, Los Angeles-based 3G Communications.
At the same time, convicted computer felons such as Kevin Mitnick would suggest that criminal hackers can go on to be trusted security consultants. After spending five years in jail for a two-and-a-half-year hacking spree, Mitnick went on to found a private consulting business and regularly speaks at security conferences attended by people in the private sector and the federal government.
What makes two security consultants we spoke to uncomfortable in this case is two things: that Mahalo executives never bothered to perform a background check on Schiefer, and that so little time has passed between his conviction and his employment.
"It's standard operating procedure to give people background checks," said Thomas Ptacek, a researcher at security provider Matasano. "I would say that in any industries we work in, if you were a convicted or well-known botnet operator, that would be an issue for everyone."
Calacanis said Mahalo's hiring process is rigorous, but in the case of Schiefer, Mahalo's CTO and long-time Calacanis friend Mark Jeffrey "made a mistake and didn't Google" the employee before offering him a job. Once the error came to light, Mahalo execs decided to allow Schiefer to continue his employment.
Calacanis and Jeffrey have since put their own reputations on the line by vouching for Schiefer's trustworthiness. "In the time that I've known John, he has been a model employee, and indeed, a model human being," Jeffrey wrote in a letter submitted this week arguing Schiefer should not be sentenced to prison. "I would hire him again in a second."
Asked how they can be sure Schiefer is reformed even before he's served a day in prison or paid a dime in restitution, Calacanis said: "I think I know the difference between someone who is extremely malicious and looking to destroy people's lives and steal a bunch of identities and somebody who is maybe too intelligent and curious for their own good. I think that's the case here."
Next page: Aggravating factors
Free whitepaper – Ensuring service assurance in the new normal
The Register Guide to Extended Validation
The Evolving Security Landscape
The Impact of IT Security Attitudes
Risk and Resilience
Linux on the Desktop
