Web maven gives convicted botmaster keys to new kingdom

Mahalo.com embraces Acidstorm

Build a business case: developing custom apps

For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis.

For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the rogue employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.

"After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison," Calacanis told The Register. "We've made a point of supervising him and I talk to him on a daily basis."

On Wednesday, a federal judge sentenced Schiefer to serve four years in federal prison and pay $20,000 in restitution and a $2,500 fine. The hacker, who went by the names Acid and Acidstorm, has been given 90 days to surrender to prison officials.

Schiefer's employment with Mahalo exposes an interesting quandary over the roles redemption and accountability ought to play when hiring employees for sensitive IT positions. Schiefer admitted to pilfering hundreds of thousands of online banking passwords, wielding a 250,000-strong botnet and even illegally accessing computers belonging to customers of his former employer, Los Angeles-based 3G Communications.

At the same time, convicted computer felons such as Kevin Mitnick would suggest that criminal hackers can go on to be trusted security consultants. After spending five years in jail for a two-and-a-half-year hacking spree, Mitnick went on to found a private consulting business and regularly speaks at security conferences attended by people in the private sector and the federal government.

What makes two security consultants we spoke to uncomfortable in this case is two things: that Mahalo executives never bothered to perform a background check on Schiefer, and that so little time has passed between his conviction and his employment.

"It's standard operating procedure to give people background checks," said Thomas Ptacek, a researcher at security provider Matasano. "I would say that in any industries we work in, if you were a convicted or well-known botnet operator, that would be an issue for everyone."

Calacanis said Mahalo's hiring process is rigorous, but in the case of Schiefer, Mahalo's CTO and long-time Calacanis friend Mark Jeffrey "made a mistake and didn't Google" the employee before offering him a job. Once the error came to light, Mahalo execs decided to allow Schiefer to continue his employment.

Calacanis and Jeffrey have since put their own reputations on the line by vouching for Schiefer's trustworthiness. "In the time that I've known John, he has been a model employee, and indeed, a model human being," Jeffrey wrote in a letter submitted this week arguing Schiefer should not be sentenced to prison. "I would hire him again in a second."

Asked how they can be sure Schiefer is reformed even before he's served a day in prison or paid a dime in restitution, Calacanis said: "I think I know the difference between someone who is extremely malicious and looking to destroy people's lives and steal a bunch of identities and somebody who is maybe too intelligent and curious for their own good. I think that's the case here."

Aggravating factors

It would seem Calacanis didn't read the documents filed in Schiefer's extensive case history. Court papers cite a variety of aggravating factors, including "bullying" underage accomplices to use his botnet software to steal people's personal information. "Quit being a bitch and claim it," Schiefer told a juvenile apprentice named Adam, according to court documents.

He similarly goaded a hacker named phr33k to "rape" the IP address of a target by launching DDoS, or distributed denial of service, attacks and later bragged the he made "more money on bots (infected computers) than people do with legitimate jobs," according to an declaration filed in the case. In addition to selling and giving away pilfered usernames and passwords to cohorts, he also personally used stolen PayPal accounts to buy domain names, according to a plea agreement signed by Schiefer.

Without a doubt, reformed criminals should be given the chance to become productive members of society, but the facts of the case mean that Schiefer's employment at Mahalo is probably a bad idea, said Tom Parker, director of commercial security services at Securicon.

"When the crime is so recent and the person has a history of abusing the trust that they have with their employers, it's a different story," Parker said. "The purpose of going to jail is punishment where you reflect on the bad things you've done and set a new course for yourself. He's obviously not had a chance to do that."

Calacanis said the amount of damage that Schiefer could do is limited. The site offers content for free, doesn't collect sensitive user data, and all user passwords are encrypted, so they can't be viewed by employees, he said.

"The risk is that he damages us and that was a risk I was willing to take," Calacanis said. "If we were PayPal, he wouldn't be working there."

But Ptacek isn't so sure and he points to the regular abuse of content websites by cybercriminals to propagate malware.

"The compromise of one of those sites is part of the botnet food chain," he said. "It's not as if there's no relation between a large content site like Mahalo and the damage caused by a botnet." ®

This story was updated to correct the spelling of Mahalo CEO. It's Calacanis.

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.