Re: Scandal: IT Security firm hires the author of Sasser worm

[ktabic <lists () ktabic co uk>]

On Mon, 2004-09-20 at 15:43 -0400, Barry Fitzgerald wrote:
> ktabic wrote:
>
> > Well, I vaguely recall laws that state that a convicted criminal isn't
> > allowed to profit from his crime, even after he has served his sentence.
> > This does, however, sound like he is profiting from his crime.
> > Think: would he have been given this job if he hadn't had his named
> > plastered all over the newspapers?

> I don't have an opinion on this particular situation.  I really, 
> seriously don't.
>
> But, here are some things everyone should think about:
>
>        - Have you ever exceeded 20 mph above the speed limit?  If so, 
> does that make you incapable of driving a big rig truck?  If so, I think 
> we should probably be very wary of our use of the roads.  It's much more 
> difficult to get a commercial license if you've been caught speeding, 
> but no one ever said it was impossible.

Funnily enough. No. I haven't.
>        - What about the people who were never caught?  How's the 
> paranoia setting in now? :)  Seriously, though, which is more 
> dangerous?  A cracker's who's been caught and knows he's being watched, 
> or a cracker who has never been caught and knows that he can silently
> observe the inner workings of an organization and, with time on his side, 
> exploit it.  If you say "the guy who got caught", then you need to rethink 
> your stance on reality.

Nope, the paranoia hasn't kicked in. It was already there. Paranoia is a
vital skill for any Sysadmin, imho. And I agree that the unknown ones
are more dangerous. That, however isn't a reason to allow the known ones
of the hook with a: Well, now we know about you.
Popping back to the speeding example above. If you get caught doing 20
mph above the speed limit, you are liable to lose you license (in this
country) unless you can come up with a really good reason. And: my job
depends on being able to drive usually isn't good enough. And even if
you don't lose the license, you gain penalties, which can accumulate
into lost of the privilage to drive.
So there is a difference between being caught for speeding. Get caught
doign the proverbial 20mph above on a computer, you penalty is:
Getting offered a job, and still being allowed to use a computer. To do
what ever you want.
That, at least, is what I see from this, and others like this.
>        - How do criminals reintegrate into society if they're not 
> allowed to be gainfully employed in their specialty?  You may scoff at 
> this, but it's a very valid question.

Nope, I don't scoff at this.
However, I have yet to see a job advertised: Professinal Virus
Programmer, or with a job description of exploiting flaws in computers
to compromise them againist thier owners will. *
So he has a speciality that isn't really in demand.

* There may, however, be openings in the CIA, NSA, GCHQ, <insert
favoured intelligence gathering agency here>.

>           Not allowing a criminal, once released, to be openly and 
> gainfully employed only gives them more reason to again turn to crime.  
> Would you prefer that he work for the russian mafia writing web exploits?  
> If you want to take away his ability to be employed, then you're virtually 
> forcing him into a life of crime. How productive is that?

<cynic>Hmm, yes. Thats actually a good idea. Since he is already known
to those whose job it is to investigate and catch criminals, they may
find things eassier</cynic>
Hmm, so the armed robber should be allowed, as part of his
rehabilitation, to become gainfully employed as...? Well, what ever he
could become gainfully employed as, it won't be as an armed robber.
Theres nothing to stop him from becoming gainfully employed as, say, a
builder. Or even a dustman, which is actually quite and important job.
>        - Employing known crackers is not new.  People have been throwing 
> around the term "unethical" with regard to his employment, but I fail to 
> see how his being employed is unethical. It would be unethical if the company 
> were employing him to crack their opponents, but thus far there's no indication 
> that that's the case. In fact, it hasn't even been mentioned what he was employed 
> to do.  How do you know that he's not in a basement somewhere with a 386 and a 
> floppy drive dissecting malware that's been handed to him physically?  You don't 
> know what he's doing, so why start making silly assumptions about the basis for 
> his employment?  But this practice, of employing known crackers, is not new and 
> it's not unethical.  The act of simply employing someone to do a legal job can't 
> be unethical unless what they're being told to do is unethical.  

Ok, he's working as a a trainee software developer working on security
products. Hows that?

> If your perspective is that it's unethical *because* he wrote a worm and should be 
> barred from employment for the rest of eternity because of it -- well, you're 
> advocating the use of stigma judication, like having a scarlet A for adultery.  
> I thought we were beyond that?

Not at all. It's unethical, not because he has that job. It's unethical
because securepoint wrote to him and invited him to apply. Thats the
unethical part. I have no problem with him applying for jobs, as a
programmer, or pentester, whatever.
The unethical part is a firm that specialises in security invites a
known virus writer to write software for them.

> I don't have an opinion on the specific case at hand, but these points 
> apply to the issue.  This seems to be the hot topic on the list right 
> now.  Can't we just agree that we simply don't have enough information 
> to pass judgement? 
>
> And, for the sake of the list, let's get off whether someone should be 
> employed or not -- isn't that a better topic for a sociology list than 
> this one?  I'll tell you one thing, you'll get better formed opinions on 
> the sociology list.  So far, people seem to be taking emotional sides... 
> and that will never lead to a reasoned solution.
Unfortunatley, it's likely to become hotter, more deatails are emerging.
You know, I'm sure some of the IT rags subscribe to this list.;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html