Why would SecurePoint hire a person who intentionally caused hundreds of millions of dollars in damage? (Yes, it is intentional as the results of releasing a virus, let alone two, are well known.) Well, they have given two answers. First, SecurePoint claims that it wants to give him a second chance. When quoted in other stories, however, company officials say that he has unique knowledge.
Damage assessment still incomplete
Giving someone a second chance seems noble enough, but how does SecurePoint know that this person deserves a second chance? The investigation isn't finished and we don't even know the full extent of the crimes he committed. Chances are likely that he did more than just write two viruses. It is well known that criminals have attempted to place backdoors in commercial software. SecurePoint has negligently, potentially opened up its software to such attacks, which is compounded by the fact that it is a firewall company. On top of all this, you have to ask why doesn't it hire one of the thousands of people deserving of getting a job first -- people whose only flaw is that they did not get a deluge of media attention by causing millions of dollars in damage.
Concerning the quote of "unique knowledge," SecurePoint claims that the first thing it is going to do is train him how to write software. It would appear that unique knowledge is not very relevant for the job. Again, SecurePoint is a firewall company, and he is a virus writer. There are other ways to obtain underground knowledge, anyway. The fact is that many companies hire people with exposure to the computer underground, which is not necessarily a bad thing. These people have the skills for the jobs they were hired for, and they likely never caused millions of dollars in damage. You are going to have a hard time convincing me that this is anything more than a publicity stunt.
The Mitnick factor
During one of Kevin Mitnick's sentencings, a judge said that even though he arguably caused more than $1 million in damage, with his rap sheet of multiple criminal convictions, it was unlikely that he would be employable, so he imposed restitution of less than $10,000 for the last conviction. Mitnick has reportedly made that many times over during speaking engagements. At the very least, hiring the virus writer demonstrates in advance that he is employable, and that he should be fully liable for all of the damage that he caused. Maybe SecurePoint can be made a party in paying for Sasser-related liabilities since it's benefiting from the notoriety.
SecurePoint is sending the wrong message -- a message that encourages criminal behavior. As security professionals, we have to make lemonade out of lemons. Point out to clients the reasons that SecurePoint is opening them up to potential damage, because of what appears to be a cheap publicity stunt. Point out the behaviors that encourage criminal activity. Point out why its own statements demonstrate a lack of understanding of the market it claims to serve.
To me, security professionals appear to take these things in stride, bend over, and say, "Please sir, may I have another," instead of standing up for their principles. It is time that vendors be held accountable for their actions, including hiring computer criminals.
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields, and has been a consultant to many of the largest companies in the world. He is also author of the forthcoming book "Spies Among Us."
This article originally appeared on SearchSecurity.com.
This was first published in October 2004