Column

On hiring a virus writer

In

You are going to have a hard time convincing me that this is anything more than a publicity stunt.


,
the first place, we now know the true colors of a firewall vendor. Personally, I had never heard of SecurePoint before this incident. Maybe it is more popular in Europe; however, I don't know of any companies that use its products.

Why would SecurePoint hire a person who intentionally caused hundreds of millions of dollars in damage? (Yes, it is intentional as the results of releasing a virus, let alone two, are well known.) Well, they have given two answers. First, SecurePoint claims that it wants to give him a second chance. When quoted in other stories, however, company officials say that he has unique knowledge.

Damage assessment still incomplete

Giving someone a second chance seems noble enough, but how does SecurePoint know that this person deserves a second chance? The investigation isn't finished and we don't even know the full extent of the crimes he committed. Chances are likely that he did more than just write two viruses. It is well known that criminals have attempted to place backdoors in commercial software. SecurePoint has negligently, potentially opened up its software to such attacks, which is compounded by the fact that it is a firewall company. On top of all this, you have to ask why doesn't it hire one of the thousands of people deserving of getting a job first -- people whose only flaw is that they did not get a deluge of media attention by causing millions of dollars in damage.

Concerning the quote of "unique knowledge," SecurePoint claims that the first thing it is going to do is train him how to write software. It would appear that unique knowledge is not very relevant for the job. Again, SecurePoint is a firewall company, and he is a virus writer. There are other ways to obtain underground knowledge, anyway. The fact is that many companies hire people with exposure to the computer underground, which is not necessarily a bad thing. These people have the skills for the jobs they were hired for, and they likely never caused millions of dollars in damage. You are going to have a hard time convincing me that this is anything more than a publicity stunt.

The Mitnick factor

During one of Kevin Mitnick's sentencings, a judge said that even though he arguably caused more than $1 million in damage, with his rap sheet of multiple criminal convictions, it was unlikely that he would be employable, so he imposed restitution of less than $10,000 for the last conviction. Mitnick has reportedly made that many times over during speaking engagements. At the very least, hiring the virus writer demonstrates in advance that he is employable, and that he should be fully liable for all of the damage that he caused. Maybe SecurePoint can be made a party in paying for Sasser-related liabilities since it's benefiting from the notoriety.

SecurePoint is sending the wrong message -- a message that encourages criminal behavior. As security professionals, we have to make lemonade out of lemons. Point out to clients the reasons that SecurePoint is opening them up to potential damage, because of what appears to be a cheap publicity stunt. Point out the behaviors that encourage criminal activity. Point out why its own statements demonstrate a lack of understanding of the market it claims to serve.

To me, security professionals appear to take these things in stride, bend over, and say, "Please sir, may I have another," instead of standing up for their principles. It is time that vendors be held accountable for their actions, including hiring computer criminals.


Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields, and has been a consultant to many of the largest companies in the world. He is also author of the forthcoming book "Spies Among Us."

This article originally appeared on SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: