Re: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm
From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
To: ktabic <firstname.lastname@example.org> Date: Mon, 20 Sep 2004 15:43:14 -0400
>Well, I vaguely recall laws that state that a convicted criminal isn't
>allowed to profit from his crime, even after he has served his sentence.
>This does, however, sound like he is profiting from his crime.
>Think: would he have been given this job if he hadn't had his named
>plastered all over the newspapers?
I don't have an opinion on this particular situation. I really,
But, here are some things everyone should think about:
- Have you ever exceeded 20 mph above the speed limit? If so,
does that make you incapable of driving a big rig truck? If so, I think
we should probably
be very wary of our use of the roads. It's much more
difficult to get a commercial license if you've been caught speeding,
but no one ever said it was
- What about the people who were never caught? How's the
paranoia setting in now? :) Seriously, though, which is more
dangerous? A cracker's who's been
caught and knows he's being watched, or a cracker who has
never been caught and knows that he can silently observe the inner
workings of an organization
and, with time on his side, exploit it. If you say "the guy
who got caught", then you need to rethink your stance on reality.
- How do criminals reintegrate into society if they're not
allowed to be gainfully employed in their specialty? You may scoff at
this, but it's a very valid question.
Not allowing a criminal, once released, to be openly and
gainfully employed only gives them more reason to again turn to crime.
Would you prefer that he
work for the russian mafia writing web exploits? If you want
to take away his ability to be employed, then you're virtually forcing
him into a life of crime.
How productive is that?
- Employing known crackers is not new. People have been throwing
around the term "unethical" with regard to his employment, but I fail to
see how his being
employed is unethical. It would be unethical if the company
were employing him to crack their opponents, but thus far there's no
indication that that's the case.
In fact, it hasn't even been mentioned what he was employed to
do. How do you know that he's not in a basement somewhere with a 386
and a floppy drive
dissecting malware that's been handed to him physically? You
don't know what he's doing, so why start making silly assumptions about
the basis for his
employment? But this practice, of employing known crackers,
is not new and it's not unethical. The act of simply employing someone
to do a legal job can't
be unethical unless what they're being told to do is
unethical. If your perspective is that it's unethical *because* he
wrote a worm and should be barred from
employment for the rest of eternity because of it -- well,
you're advocating the use of stigma judication, like having a scarlet A
for adultery. I thought we were
I don't have an opinion on the specific case at hand, but these points
apply to the issue. This seems to be the hot topic on the list right
now. Can't we just agree that we simply don't have enough information
to pass judgement?
And, for the sake of the list, let's get off whether someone should be
employed or not -- isn't that a better topic for a sociology list than
this one? I'll tell you one thing, you'll get better formed opinions on
the sociology list. So far, people seem to be taking emotional sides...
and that will never lead to a reasoned solution.
Full-Disclosure - We believe in it.