For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis. For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark …
Comparisons with Mitnick
You're confusing the criminal justice system with real justice.
These days you don't have to have harmed anyone or anything to go to jail, especially when it comes to government computer systems. Looking at the wrong things or even looking at the right things in the wrong way is enough. Say "hello" to the DMCA.
Government these days is all about making people afraid and to do that you have to show a threat, so you cast the net wide, make the charges sound fierce and then you can easily convict people who weren't really much of a threat.
Of course there are people who behave unethically and do a lot of damage. Stealing passwords to empty other peoples' bank accounts is a no-no and should be punished. Emptying other people's bank accounts when you have the title "manager" seems to be ok, though.
Icon: don't worry, he's an investment banker...
"We've made a point of supervising him and I talk to him on a daily basis."
"In the time that I've known John, he has been a model employee, and indeed, a model human being,"
This sounds awfully like Schiefer knows exactly which closets contain whose skeletons.
[And I wonder if my employers ever Google me and come up with my Reg-rants.]
["employer's premisis" hmmm]
They seem to be saying...
that the mere fact of serving your prison term is what reforms you. Therefore if you have time to serve and haven't served it, then by definition you aren't reformed. But once you have served your time you are, again by definition, reformed.
That's a crazy argument.
It's not the actual time itself that reforms you, in my opinion it's more likely to be the fact that you have been sentenced to xx years in prison that does the reforming.
Once you actually go to prison, my understanding of the stats is that you are more likely to come out a hardened, repeat offender, than you are to come out as a reformed person.
Passwords, pretty please
Well this is obvious. They're being nice to him up until the day he goes to prison so he doesn't screw their system. When he goes to jail, they'll say "We need to hire a temp to fill your position for, say, 4 years with time off for good behaviour. So could we pretty please have all the passwords. All of them. Yep. All. Please. Yeah, you can have your job back when you get out. Sure. Just write them all here. kthxbye"
"...the site.....doesn't collect sensitive user data, and all user passwords are encrypted, so they can't be viewed by employees..."
Well, maybe that's the way it was *intended* to work. When the guy looking after the admin side has a history of using malicious software added to machines to, er, collect sensitive data and capture user passwords in clear, who knows?
This Calacanis bloke. He's not large, of avian appearance, covered in black and white feathers, long necked and able to run very fast by any chance?
You make your decisions and you take your chances.
After all, whole nations reelect hardened criminals as the chief of their executive with the "background check" open to anyone who can open a newspaper. This can lead to interesting discussions but no hard conclusions. Thus Shrug.
"For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the employee"
I expect they used Maholo rather than Google and it turned up 0 hits.
You would be surprised...
I have seen big banks hire people with no background check, no interview, no vetting process whatsoever - and then place them in a room with all the bank's computers, give them the root password, and expect everything to be tickety-boo.
Mind you, with the number of top banking figures without formal banking qualifications, it would seem they do the same thing when it comes to hiring their CEOs. Banks, it would seem, do not take security or competency as seriously as we hope they would.
Maybe it really IS time to start keeping your money under the mattress...
Good article but I don't like the tone. On the assumption that the majority of people aren't idiots, I sympathise with the geek and his employer. The paragraphs on bullying, etc seem a little weak. As for background checks, in my experience everyone says they do them but nobody ever gets around to it.
he could do a lot of damage if provoked
... and nothing would provoke him more than getting fired.
This "compassion" thing sounds to me like complete bull. If the hacker ever did anything to damage the company, the shareholders who lost value or employees who lost their jobs, as a result would be pretty pissed-off. What's more compassionate? employing someone like this, or looking out for the long-term security of your other employees and investors.
Job? What job?
If I read correctly, the subject used someone else's money to pay for a domain registration and used someone else's property without their permission (botnet.)
Assuming he made a reasonable amount of money that allowed him to drink the occasional beer and live a comfortable life, the above immediately disqualifies him for a position of trust.
You don't have to be trustworthy to do lots of jobs at a bank because there are people whose job it is to look over your shoulder. Positions of trust are different and those who violate trust are violating social compacts that allow our society to function quickly and smoothly. Having to worry about violations of trust slows us immensely.
People who work in the networked economy are aware of that. The employer knows that and is merely being disingenuous.
The subject in question should sell used automobiles for the rest of his natural life. That would place him in a social position where the public would understand how to interact with him on a day to day basis. There are plenty of people like him in the world. What is special about him because he knows "all about computers" as the clueless express it.
I was going to give the company the benefit of the doubt
and assume they were playing nice because they didn't want to run afoul of perverse employment laws.
Then I read the guys public statement....
The gene pool is in desperate need of some chlorination.
Since when did Googling someone constitute a background check? What other services will the oompa-loompas be providing? Can we expect short, orange trench-coat-and-fedora'd PIs? Surrealist corporate espionage?
I was one of the first hackers, I'd guess, since I started in 1972. I ended my unauthorized journeys in cyberspace sometime during the mid-80s. If some of the people I worked for knew I could crack their systems easily (although "security" was a misnomer then), would they ever have hired me to do anything? Then again, when I was a teenager and in my early 20s, driving too fast was nothing to brag about. Now it tends to be a felony. There are lines being drawn here, and most people can't begin to envision the consequences. Maybe we should start going to church again. That way we could spend one day in Purgatory and sin the other six in the old-fashioned way.
250,000-strong botnet. For profit. That is the number of machines this guy has screwed up. That is not an unauthorized journey, that's 250,000 computers that now have to be fixed. Seriuosly, there are better things the Geek squad could be doing. So what if he says that he has changed his way. If I burn a building down, but I promise it's the last time, am I free to go? Is it responsible to put a freshly convicted con-artist thief in charge of a bank?
Some more info. http://voices.washingtonpost.com/securityfix/2007/11/security_pro_admits_to_hijacki.html
I don't see him as worse than other white collar criminals like Bernie Madoff, but just because he's a computer "hac..... punk admin" doesn't make him any better. Bernie just "hacked" the investors.
@ AC "250,000-strong botnet"
Dear sir, you seem to have missed the point entirely. A few numbers you cite suggest you are commenting on the right article though -and might even have read it. Are you a very stupid troll or just a very stupid person?
It's clear, though, that they did't fire him:
-because he's not dangerous for them now
-and because he could erase them from the face of the Earth if they made him angry
The worst I have ever done
The worst I have ever done at my past employer was running for 2 years a Quake 1 server.
Think of the children
How to become a System Administrator:
Option 1: Spend about $100,000 in schooling, spend another $10,000 in certifications, hope to find a company looking for a new admin...
Option 2: Drop out of school, become script kiddie, build a botnet, steal money, wait for some company to throw you a six digit salary job...
What a backward ass system.