Full Disclosure mailing list archives
Re: Scandal: IT Security firm hires the author of Sasser worm
From: ktabic <lists () ktabic co uk>
Date: Tue, 21 Sep 2004 10:27:27 +0000
On Mon, 2004-09-20 at 15:43 -0400, Barry Fitzgerald wrote:
ktabic wrote:Well, I vaguely recall laws that state that a convicted criminal isn't allowed to profit from his crime, even after he has served his sentence. This does, however, sound like he is profiting from his crime. Think: would he have been given this job if he hadn't had his named plastered all over the newspapers?
I don't have an opinion on this particular situation. I really, seriously don't. But, here are some things everyone should think about: - Have you ever exceeded 20 mph above the speed limit? If so, does that make you incapable of driving a big rig truck? If so, I think we should probably be very wary of our use of the roads. It's much more difficult to get a commercial license if you've been caught speeding, but no one ever said it was impossible.
Funnily enough. No. I haven't.
- What about the people who were never caught? How's the paranoia setting in now? :) Seriously, though, which is more dangerous? A cracker's who's been caught and knows he's being watched, or a cracker who has never been caught and knows that he can silently observe the inner workings of an organization and, with time on his side, exploit it. If you say "the guy who got caught", then you need to rethink your stance on reality.
Nope, the paranoia hasn't kicked in. It was already there. Paranoia is a vital skill for any Sysadmin, imho. And I agree that the unknown ones are more dangerous. That, however isn't a reason to allow the known ones of the hook with a: Well, now we know about you. Popping back to the speeding example above. If you get caught doing 20 mph above the speed limit, you are liable to lose you license (in this country) unless you can come up with a really good reason. And: my job depends on being able to drive usually isn't good enough. And even if you don't lose the license, you gain penalties, which can accumulate into lost of the privilage to drive. So there is a difference between being caught for speeding. Get caught doign the proverbial 20mph above on a computer, you penalty is: Getting offered a job, and still being allowed to use a computer. To do what ever you want. That, at least, is what I see from this, and others like this.
- How do criminals reintegrate into society if they're not allowed to be gainfully employed in their specialty? You may scoff at this, but it's a very valid question.
Nope, I don't scoff at this. However, I have yet to see a job advertised: Professinal Virus Programmer, or with a job description of exploiting flaws in computers to compromise them againist thier owners will. * So he has a speciality that isn't really in demand. * There may, however, be openings in the CIA, NSA, GCHQ, <insert favoured intelligence gathering agency here>.
Not allowing a criminal, once released, to be openly and gainfully employed only gives them more reason to again turn to crime. Would you prefer that he work for the russian mafia writing web exploits? If you want to take away his ability to be employed, then you're virtually forcing him into a life of crime. How productive is that?
<cynic>Hmm, yes. Thats actually a good idea. Since he is already known to those whose job it is to investigate and catch criminals, they may find things eassier</cynic> Hmm, so the armed robber should be allowed, as part of his rehabilitation, to become gainfully employed as...? Well, what ever he could become gainfully employed as, it won't be as an armed robber. Theres nothing to stop him from becoming gainfully employed as, say, a builder. Or even a dustman, which is actually quite and important job.
- Employing known crackers is not new. People have been throwing around the term "unethical" with regard to his employment, but I fail to see how his being employed is unethical. It would be unethical if the company were employing him to crack their opponents, but thus far there's no indication that that's the case. In fact, it hasn't even been mentioned what he was employed to do. How do you know that he's not in a basement somewhere with a 386 and a floppy drive dissecting malware that's been handed to him physically? You don't know what he's doing, so why start making silly assumptions about the basis for his employment? But this practice, of employing known crackers, is not new and it's not unethical. The act of simply employing someone to do a legal job can't be unethical unless what they're being told to do is unethical.
Ok, he's working as a a trainee software developer working on security products. Hows that?
If your perspective is that it's unethical *because* he wrote a worm and should be barred from employment for the rest of eternity because of it -- well, you're advocating the use of stigma judication, like having a scarlet A for adultery. I thought we were beyond that?
Not at all. It's unethical, not because he has that job. It's unethical because securepoint wrote to him and invited him to apply. Thats the unethical part. I have no problem with him applying for jobs, as a programmer, or pentester, whatever. The unethical part is a firm that specialises in security invites a known virus writer to write software for them.
I don't have an opinion on the specific case at hand, but these points apply to the issue. This seems to be the hot topic on the list right now. Can't we just agree that we simply don't have enough information to pass judgement? And, for the sake of the list, let's get off whether someone should be employed or not -- isn't that a better topic for a sociology list than this one? I'll tell you one thing, you'll get better formed opinions on the sociology list. So far, people seem to be taking emotional sides... and that will never lead to a reasoned solution.
Unfortunatley, it's likely to become hotter, more deatails are emerging. You know, I'm sure some of the IT rags subscribe to this list.;) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Scandal: IT Security firm hires the author of Sasser worm Feher Tamas (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm bb (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm John Galt (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm adf--at--Code511.com (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm ktabic (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Barry Fitzgerald (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm ktabic (Sep 21)
- Re: Scandal: IT Security firm hires the author of Sasser worm Barry Fitzgerald (Sep 21)
- Re: Scandal: IT Security firm hires the author of Sasser worm ktabic (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm bb (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Vincent Archer (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Georgi Guninski (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm morning_wood (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Will Image (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Bruce Ediger (Sep 20)
- Re: Scandal: IT Security firm hires the author of Sasser worm Samir Kelekar (Sep 20)