On hiring a virus writer

I have to admit that I am happy that a previously unknown company hired the author of the Sasser and Netsky worms. While many people are, of course, outraged by the whole thing, as they should be, there are a few things brought to the forefront that would otherwise be ignored.

In the first place, we now know the true colors of a firewall vendor. Personally, I had never heard of SecurePoint before this incident. Maybe it is more popular in Europe; however, I don't know of any companies that use its products.

Why would SecurePoint hire a person who intentionally caused hundreds of millions of dollars in damage? (Yes, it is intentional as the results of releasing a virus, let alone two, are well known.) Well, they have given two answers. First SecurePoint claims that it wants to give him a second chance. When quoted in other stories, company officials say that he has unique knowledge.

Giving someone a second chance seems noble enough, but how does SecurePoint know that this person deserves a "second chance." The investigation isn't finished and we don't even know the full extent of the crimes he committed. Chances are likely that he did more than just write two viruses. It is well known that criminals have attempted to place backdoors in commercial software. SecurePoint has negligently, potentially opened up its software to such attacks, which is compounded by the fact that it is a firewall company. On top of all this, you have to ask why doesn't it hire one of the thousands of people deserving of getting a first job, whose only flaw is that they did not get a deluge of media attention by causing millions of dollars in damage.

Concerning the quote of "unique knowledge," SecurePoint claims that the first thing it is going to do is train him how to write software. It would appear that unique knowledge is not very relevant for the job. Again, SecurePoint is a firewall company, and he is a virus writer. There are other ways to obtain underground knowledge, anyway. The fact is that many companies hire people with exposure to the computer underground, which is not necessarily a bad thing. These people have the skills for the jobs they were hired for, and they likely never caused millions of dollars in damage. You are going to have a hard time convincing me that this is anything more than a publicity stunt.

During one of Kevin Mitnick's sentencings, a judge said that even though he arguably caused more than $1 million in damage, with his rap sheet of multiple criminal convictions, it was unlikely that he would be employable, so he imposed restitution of less than $10,000 for the last conviction. Mitnick has reportedly made that many times over during speaking engagements. At the very least, hiring the virus writer demonstrates in advance that he is employable, and that he should be fully liable for all of the damage that he caused. Maybe SecurePoint can be made a party in paying for Sasser-related liabilities since it's benefiting from the notoriety.

SecurePoint is sending the wrong message -- a message that encourages criminal behavior. As security professionals, we have to make lemonade out of lemons. Point out to clients the reasons that SecurePoint is opening them up to potential damage, because of what appears to be a cheap publicity stunt. Point out the behaviors that encourage criminal activity. Point out why its own statements demonstrate a lack of understanding of the market it claims to serve.

To me, security professionals appear to take these things in stride, bend over, and say, "Please sir, may I have another," instead of standing up for their principles. It is time that vendors be held accountable for their actions, including hiring computer criminals.

About the author
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

Have an opinion on this article? E-mail your letters to Shawna McAlearney, and include your name, title and organization. Letters may be edited for space and clarity.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Email Protection,   Email Security Guidelines, Encryption and Appliances,   Guest Commentary,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.