Ben Metcalfe

Why you want to have crackers in your security team

A couple of thoughts on today’s news that Jason Calacanis employed John Schiefer, at Mahalo (or more accurately, that he didn’t fire him when he found out about his past). For those who don’t know, before he worked at Mahalo Schiefer got caught up in creating a botnet that was later used to raid people’s financial accounts.

I usually give Jason Calacanis a rough ride – the guy wants to be a “jock of the internet”, comes across as such and so the nerds are going to throw shit from the peanut gallery. I don’t get what why that’s really a big surprise – I just get frustrated that I just become part of the spin as I feed into it.

But on this one I actually congratulate Jason for having the courage and the integrity to make a decision based on the actual situation rather than bowing to ‘keeping a front’ that would be more media and investor friendly.

As Jason points out in his blog post, many of us with powerful technical skills and understanding have at least experimented with putting those skills to less-savory uses. We all have a past, even people like me who don’t work directly in any IT-security related areas of the industry. But from what I can tell John was employed to work in a security-orientated position and those are the very people you want to have a past in this area – so they know their field of expertise inside or out.

I’m not sure I’d hire any engineer or ops person to work in a security-related position who I knew didn’t have a history on the other side of the line. Of course, I would want to know they are done with that part of their lives.

This is true for other areas in technology: If you’re building an online music store you’d hope that your product people download a lot of music illegally using bit torrent and kazzar (so that they are totally across the other options out there). If you’re developing Windows OS for Microsoft, it would be a good idea to regularly use Apple and *nix operating systems to understand what’s out there. This is a design pattern I don’t see anywhere near enough in business, and it’s the root to a lot of failures.

Back to the Schiefer story: some folks in the media, such as Rafe Needleman on Webware, have spun up a load of FUD around whether Schiefer had access to personal information and the level of ‘supervision’ he was given once Calacanis found out about his past.

What Rafe and others needs to consider is that all technical employees at a company have full and complete access to their customer’s data. In fact they have the root and master accounts, so they don’t even need to know any cracking skills to gain access. The fact Schiefer could crack doesn’t give him any greater access to this data.

Now, the argument could be raised that Schiefer’s history meant he shouldn’t be trusted. But I ask you to consider what %age of Google, Facebook or any other tech company’s engineering team is made up by people who have dabbled in illegal technical activity? The fact they may or may not have been caught shouldn’t reflect on whether you trust them more or less. The bottom line is most people are not caught. One of the biggest employers of engineers who have been caught committing cyber-related crimes are governments.

Further still, what about people with the same level of ‘master’ access at companies you patronize who have committed other crimes of moral turpitude? This even follows through not only to engineers but non-tech staff too, even as far down as call center staff.

The bottom line is that all companies need to have measures in place to protect their customer’s data inside the firewall, as well as outside. And it varies as to how good a job they do.

But to take issue like this specifically because someone had a history of cracking shows a vast naivety of the business. You want people who have this kind of history in your security team.