Web maven gives convicted botmaster keys to new kingdom

Mahalo.com embraces Acidstorm

Seven Steps to Software Security

For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis.

For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the rogue employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.

"After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison," Calacanis told The Register. "We've made a point of supervising him and I talk to him on a daily basis."

On Wednesday, a federal judge sentenced Schiefer to serve four years in federal prison and pay $20,000 in restitution and a $2,500 fine. The hacker, who went by the names Acid and Acidstorm, has been given 90 days to surrender to prison officials.

Schiefer's employment with Mahalo exposes an interesting quandary over the roles redemption and accountability ought to play when hiring employees for sensitive IT positions. Schiefer admitted to pilfering hundreds of thousands of online banking passwords, wielding a 250,000-strong botnet and even illegally accessing computers belonging to customers of his former employer, Los Angeles-based 3G Communications.

At the same time, convicted computer felons such as Kevin Mitnick would suggest that criminal hackers can go on to be trusted security consultants. After spending five years in jail for a two-and-a-half-year hacking spree, Mitnick went on to found a private consulting business and regularly speaks at security conferences attended by people in the private sector and the federal government.

What makes two security consultants we spoke to uncomfortable in this case is two things: that Mahalo executives never bothered to perform a background check on Schiefer, and that so little time has passed between his conviction and his employment.

"It's standard operating procedure to give people background checks," said Thomas Ptacek, a researcher at security provider Matasano. "I would say that in any industries we work in, if you were a convicted or well-known botnet operator, that would be an issue for everyone."

Calacanis said Mahalo's hiring process is rigorous, but in the case of Schiefer, Mahalo's CTO and long-time Calacanis friend Mark Jeffrey "made a mistake and didn't Google" the employee before offering him a job. Once the error came to light, Mahalo execs decided to allow Schiefer to continue his employment.

Calacanis and Jeffrey have since put their own reputations on the line by vouching for Schiefer's trustworthiness. "In the time that I've known John, he has been a model employee, and indeed, a model human being," Jeffrey wrote in a letter submitted this week arguing Schiefer should not be sentenced to prison. "I would hire him again in a second."

Asked how they can be sure Schiefer is reformed even before he's served a day in prison or paid a dime in restitution, Calacanis said: "I think I know the difference between someone who is extremely malicious and looking to destroy people's lives and steal a bunch of identities and somebody who is maybe too intelligent and curious for their own good. I think that's the case here."

Aggravating factors

It would seem Calacanis didn't read the documents filed in Schiefer's extensive case history. Court papers cite a variety of aggravating factors, including "bullying" underage accomplices to use his botnet software to steal people's personal information. "Quit being a bitch and claim it," Schiefer told a juvenile apprentice named Adam, according to court documents.

He similarly goaded a hacker named phr33k to "rape" the IP address of a target by launching DDoS, or distributed denial of service, attacks and later bragged the he made "more money on bots (infected computers) than people do with legitimate jobs," according to an declaration filed in the case. In addition to selling and giving away pilfered usernames and passwords to cohorts, he also personally used stolen PayPal accounts to buy domain names, according to a plea agreement signed by Schiefer.

Without a doubt, reformed criminals should be given the chance to become productive members of society, but the facts of the case mean that Schiefer's employment at Mahalo is probably a bad idea, said Tom Parker, director of commercial security services at Securicon.

"When the crime is so recent and the person has a history of abusing the trust that they have with their employers, it's a different story," Parker said. "The purpose of going to jail is punishment where you reflect on the bad things you've done and set a new course for yourself. He's obviously not had a chance to do that."

Calacanis said the amount of damage that Schiefer could do is limited. The site offers content for free, doesn't collect sensitive user data, and all user passwords are encrypted, so they can't be viewed by employees, he said.

"The risk is that he damages us and that was a risk I was willing to take," Calacanis said. "If we were PayPal, he wouldn't be working there."

But Ptacek isn't so sure and he points to the regular abuse of content websites by cybercriminals to propagate malware.

"The compromise of one of those sites is part of the botnet food chain," he said. "It's not as if there's no relation between a large content site like Mahalo and the damage caused by a botnet." ®

This story was updated to correct the spelling of Mahalo CEO. It's Calacanis.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.