Re: Scandal: IT Security firm hires the author of Sasser worm

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

ktabic wrote:

> >       - Have you ever exceeded 20 mph above the speed limit?  If so, 
> > does that make you incapable of driving a big rig truck?  If so, I think 
> > we should probably be very wary of our use of the roads.  It's much more 
> > difficult to get a commercial license if you've been caught speeding, 
> > but no one ever said it was impossible.
> >    
>
> Funnily enough. No. I haven't.
>  
Then you're in a very slim minority - if you drive, that is.

> Popping back to the speeding example above. If you get caught doing 20
> mph above the speed limit, you are liable to lose you license (in this
> country) unless you can come up with a really good reason. And: my job
> depends on being able to drive usually isn't good enough. And even if
> you don't lose the license, you gain penalties, which can accumulate
> into lost of the privilage to drive.
> So there is a difference between being caught for speeding. Get caught
> doign the proverbial 20mph above on a computer, you penalty is:
> Getting offered a job, and still being allowed to use a computer. To do
> what ever you want.
> That, at least, is what I see from this, and others like this.
>  
You point would be accurate if there were no penalties, but there are 
other penalties.  Your point here is far too simplistic to be accurate.

> >  
> Nope, I don't scoff at this.
> However, I have yet to see a job advertised: Professinal Virus
> Programmer, or with a job description of exploiting flaws in computers
> to compromise them againist thier owners will. *
> So he has a speciality that isn't really in demand.
>
>  
Yeah, but is that really what he was hired to do?

> <cynic>Hmm, yes. Thats actually a good idea. Since he is already known
> to those whose job it is to investigate and catch criminals, they may
> find things eassier</cynic>
> Hmm, so the armed robber should be allowed, as part of his
> rehabilitation, to become gainfully employed as...? Well, what ever he
> could become gainfully employed as, it won't be as an armed robber.
> Theres nothing to stop him from becoming gainfully employed as, say, a
> builder. Or even a dustman, which is actually quite and important job.
>  
Ahh - but he's not being hired by the company to be a virus/worm writer, 
is he?

If he isn't (and I highly doubt that he is) then you've proved my 
point.  Thank you.  :)

> > <>
> > Ok, he's working as a a trainee software developer working on security
> > products. Hows that?
That says nothing about how he'd be doing his work.

> > <>
>
>
> Not at all. It's unethical, not because he has that job. It's unethical
> because securepoint wrote to him and invited him to apply. Thats the
> unethical part. I have no problem with him applying for jobs, as a
> programmer, or pentester, whatever.
> The unethical part is a firm that specialises in security invites a
> known virus writer to write software for them.
>
>  
How is that unethical?

I'd be the first one here to call it unethical if I felt that it was, 
understand that, but I don't see how it's unethical.

It would be unethical if the company didn't disclose it... yet, they have.
It would be unethical if the company employed him to do unethical 
things... yet that doesn't appear to be what's happening.

Why does the company seeking him out qualify as being unethical?  I 
believe you're extending the term "unethical" to an area where it 
doesn't apply.

      -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html