Mahalo CEO hired convicted botnet leader

The founder and CEO of search engine start-up Mahalo.com defends his employment of a botnet baron

Jason Calacanis, founder and CEO of search engine start-up Mahalo.com, defends his decision to allow former security researcher John Schiefer to continuing working at his firm, even after discovering he was a convicted felon.

Schiefer was sentenced to four years in prison recently after pleading guilty last April to four felony counts involving illegal access to computers, illegal interception of data and wire fraud. He is the first person to be charged under US federal wiretap statutes for using a botnet to steal data and commit fraud.

Schiefer and his accomplices infected more than 250,000 PCs, stealing usernames and passwords they used to break into PayPal and other financial accounts.

Calacanis, who was at the sentencing, expressed his support in a blog post for Schiefer, saying he should have been sentenced to supervised home arrest instead of incarceration in a federal penitentiary.

Calacanis says that when Mahalo first hired Schiefer, the company did not know about his background. And when it found out about his crime, the company could have fired him on the spot because that was the "easy choice", Calacanis wrote. "But rather than do that, the company decided to give Schiefer a chance, after hearing about his tough childhood, his anger issues and how he'd found a level of peace by being at Mahalo.

Calacanis says that while Schiefer might have been an "angry stupid kid" when he launched his botnet attacks, all developers pushed the envelope when they were young. "Anyone in technology knows this dark, dirty little secret," Calacanis says in his blog.

Calacanis speaks in more detail on his support for Schiefer by email:

There are some who think that Schiefer probably got what was coming for his actions. Why was John deserving of a lighter sentence?

Without knowing John, I think I would agree that he got what he deserved and, sure, it could have another year or two. After getting to know him I can tell you and in fact he would tell you that his behaviour was based on a lack of guidance, immaturity and anger. Getting to know him, I've watched him not only grow but flourish while working with a team of intelligent technologists.

You said in your blog that you would have never hired John (or people like him) if you had known of his background during the hiring process. Has this experience changed that outlook?

In the past, I would have probably never considered hiring a felon for my startup. In fact, they would have probably never made it in for an interview. After this experience, I think I've learned something about rehabilitation and the role private industry can play in it. After this, I would certainly consider someone convicted of computer crimes. However, I think you have to look at each case and person individually. Not all hackers are cut from the same cloth.

What was John's role in your company?

John is a systems engineer, which means he works on web servers. However, it is important to note that he does not have access to our database servers, where all of our password data is encrypted. No one on the development team can access it and his work is supervised. Also, we are a content site and we don't deal in sensitive data. He can, in fact, only do harm to us ... not our users. If John wanted to, he could turn off Mahalo, but we're willing to take that risk we trust him.

In general, what do you think about companies hiring convicted hackers to help them deal with cybersecurity issues?

It's fairly clear that many perhaps most of the folks who step over the line in the hacker community do so out of a sense of exploration, challenge and the desire to be admired by their peers. These are the exact same reasons why someone becomes an entrepreneur, and why they might start a company like Google, Yahoo, or Mahalo.

In other words, the core desire in many of these individuals is good, but horribly misdirected. As a society we have hard decisions to make about these individuals. They are in fact damaging society through their actions, and our growing digital dependencies only make their actions more significant.

So what then is the best way of handling hackers who cross the line?

Clearly we must make examples of people who step over the line, but we must also look with compassion and support to those who are willing to rehabilitate themselves. In this case I believe John could be put under house arrest and be under constant computer monitoring at his own expense and help make the world a better place. I hope his four years in jail don't hurt his progress, and that when he leaves jail he can start his life off where he left it. As a friend, hard-working team member and a brilliant contributor to society.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments
[]