For the past four or five months, Mahalo.com has entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer's premisis.
For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the rogue employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.
"After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison," Calacanis told The Register. "We've made a point of supervising him and I talk to him on a daily basis."
On Wednesday, a federal judge sentenced Schiefer to serve four years in federal prison and pay $20,000 in restitution and a $2,500 fine. The hacker, who went by the names Acid and Acidstorm, has been given 90 days to surrender to prison officials.
Schiefer's employment with Mahalo exposes an interesting quandary over the roles redemption and accountability ought to play when hiring employees for sensitive IT positions. Schiefer admitted to pilfering hundreds of thousands of online banking passwords, wielding a 250,000-strong botnet and even illegally accessing computers belonging to customers of his former employer, Los Angeles-based 3G Communications.
At the same time, convicted computer felons such as Kevin Mitnick would suggest that criminal hackers can go on to be trusted security consultants. After spending five years in jail for a two-and-a-half-year hacking spree, Mitnick went on to found a private consulting business and regularly speaks at security conferences attended by people in the private sector and the federal government.
What makes two security consultants we spoke to uncomfortable in this case is two things: that Mahalo executives never bothered to perform a background check on Schiefer, and that so little time has passed between his conviction and his employment.
"It's standard operating procedure to give people background checks," said Thomas Ptacek, a researcher at security provider Matasano. "I would say that in any industries we work in, if you were a convicted or well-known botnet operator, that would be an issue for everyone."
Calacanis said Mahalo's hiring process is rigorous, but in the case of Schiefer, Mahalo's CTO and long-time Calacanis friend Mark Jeffrey "made a mistake and didn't Google" the employee before offering him a job. Once the error came to light, Mahalo execs decided to allow Schiefer to continue his employment.
Calacanis and Jeffrey have since put their own reputations on the line by vouching for Schiefer's trustworthiness. "In the time that I've known John, he has been a model employee, and indeed, a model human being," Jeffrey wrote in a letter submitted this week arguing Schiefer should not be sentenced to prison. "I would hire him again in a second."
Asked how they can be sure Schiefer is reformed even before he's served a day in prison or paid a dime in restitution, Calacanis said: "I think I know the difference between someone who is extremely malicious and looking to destroy people's lives and steal a bunch of identities and somebody who is maybe too intelligent and curious for their own good. I think that's the case here."
It would seem Calacanis didn't read the documents filed in Schiefer's extensive case history. Court papers cite a variety of aggravating factors, including "bullying" underage accomplices to use his botnet software to steal people's personal information. "Quit being a bitch and claim it," Schiefer told a juvenile apprentice named Adam, according to court documents.
He similarly goaded a hacker named phr33k to "rape" the IP address of a target by launching DDoS, or distributed denial of service, attacks and later bragged the he made "more money on bots (infected computers) than people do with legitimate jobs," according to an declaration filed in the case. In addition to selling and giving away pilfered usernames and passwords to cohorts, he also personally used stolen PayPal accounts to buy domain names, according to a plea agreement signed by Schiefer.
Without a doubt, reformed criminals should be given the chance to become productive members of society, but the facts of the case mean that Schiefer's employment at Mahalo is probably a bad idea, said Tom Parker, director of commercial security services at Securicon.
"When the crime is so recent and the person has a history of abusing the trust that they have with their employers, it's a different story," Parker said. "The purpose of going to jail is punishment where you reflect on the bad things you've done and set a new course for yourself. He's obviously not had a chance to do that."
Calacanis said the amount of damage that Schiefer could do is limited. The site offers content for free, doesn't collect sensitive user data, and all user passwords are encrypted, so they can't be viewed by employees, he said.
"The risk is that he damages us and that was a risk I was willing to take," Calacanis said. "If we were PayPal, he wouldn't be working there."
But Ptacek isn't so sure and he points to the regular abuse of content websites by cybercriminals to propagate malware.
"The compromise of one of those sites is part of the botnet food chain," he said. "It's not as if there's no relation between a large content site like Mahalo and the damage caused by a botnet." ®
This story was updated to correct the spelling of Mahalo CEO. It's Calacanis.