Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mariposa Botmasters Sought Real Jobs After Arrest

Posted by Soulskill on from the unusual-recruitment-practices dept.

An anonymous reader writes "Two of the three Spanish men arrested in February for their alleged role in operating the massive Mariposa botnet later sought jobs at the Spanish security firm that previously had helped get them arrested. From Krebsonsecurity.com: 'Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly"). Now, here the two Mariposa curators were at Panda's headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.' The story concludes with a brief response from Netkairo, who acknowledges seeking the job at Panda because he is broke now that his moneymaking machine has been dismantled."

14 of 92 comments (clear)

  1. Spain's unemployment is at 20% by CRCulver · · Score: 4, Informative

    When Spain has seen incredible joblessness recently, you can't blame people for being a little desparate in their jobhunting.

  2. Kevin Mitnick by Pharmboy · · Score: 3, Insightful

    What about Kevin Mitnick? He is making a living by switching his hat from black to white, and no one had a problem with that. It would seem that Panda might do better having a few people who know how to make malware so successfully. The question, of course, is "can you trust them?" and only they can answer that.

    What did you expect the guys to do for jobs, flip burgers? Become stock brokers? Of course they would pursue careers in security. It seems they must know a fair amount about it to get away with so much, for so long. They certainly know more than someone coming straight from a CS degree.

    --
    Tequila: It's not just for breakfast anymore!
    1. Re:Kevin Mitnick by MarkvW · · Score: 5, Informative

      TFA makes the point that these crooks were using purchased code. This indicates that they aren't very sophisticated. Their market value would appear to be zilch.

    2. Re:Kevin Mitnick by Pharmboy · · Score: 3, Informative

      Mitnick used social engineering, not reverse engineering, to gain access to networks. I don't think we have enough information to know what skillz they have or do not have. Either way, I don't *blame* them for trying to get into the security biz for a job. I didn't say I would be hiring them, just said it shouldn't be shocking that they are trying to enter a field they know at least something about.

      --
      Tequila: It's not just for breakfast anymore!
    3. Re:Kevin Mitnick by jjohnson · · Score: 4, Insightful

      The question, of course, is "can you trust them?" and only they can answer that.

      From the article:

      When it became clear that Panda wasn't interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company's cloud anti-virus software and hinting that he planned to publish the information.

      Clearly in these guy's case, you can't.

      --
      Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
  3. If nobody gives them a second chance by pegasustonans · · Score: 4, Insightful

    ...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.

    --
    And all our yesterdays have lighted fools The way to dusty death. --Will
    1. Re:If nobody gives them a second chance by jjohnson · · Score: 4, Informative

      From the article:

      When it became clear that Panda wasn't interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company's cloud anti-virus software and hinting that he planned to publish the information.

      This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.

      I can see Panda potentially using them as consultants of a sort, and very carefully maintaining an arms-length relationship with them that's clearly about paying them for specific analyses or something. But hire them as employees? It'd be like planting land mines under the office carpet.

      --
      Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
    2. Re:If nobody gives them a second chance by crow_t_robot · · Score: 3, Interesting

      EXACTLY. This is exactly how Carl Gugasian began his 30-year career of bank robbery [ http://en.wikipedia.org/wiki/Carl_Gugasian ] He was told that he would never get a legitimate job because of a juvenile robbery offense so he went on to become, arguably, the world's greatest bank robber for 30 years. He ended up being caught due to a total fluke.

    3. Re:If nobody gives them a second chance by timholman · · Score: 3, Interesting

      ...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.

      "Potentially talented"? One of the most common memes I keep hearing is that malware writers are programming geniuses who need only a guiding hand to become productive members of society.

      I've met or worked with a lot of very sharp programmers over the years. All of them made a good salary from their skills. A few of them have made a significant amount of money. Any one of them would be capable of creating his own botnet without difficulty. Furthermore, many of them are sharp enough to pull off some impressive social engineering to gain access to systems, a la Kevin Mitnick.

      But none of them did that, because they had the ethics to understand that subverting millions of other peoples' computers for your own financial gain is wrong. Not just illegal, but wrong.

      If these botnet writers are so brilliant, where are the useful programs they have written? That's right, they don't exist. These guys are more likely marginally talented shmucks who have demonstrated an ability that hundreds of thousands of more talented programmers could easily replicate. All they lacked were the morals to do the right thing.

      If these guys are actually good programmers who want to be productive members of society, let them prove it writing and marketing useful software on their own, instead of malware. But let them on my systems, or deal with my customers? Not in a million years. I can hire honest programmers for that.

    4. Re:If nobody gives them a second chance by causality · · Score: 4, Interesting

      This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.

      The difference between criminals and average people is that the criminals believed that they had a payoff combined with a low chance of getting caught and/or they believe they have nothing to lose. Otherwise, most average non-criminals don't have much of an internal morality, set of ethical principles, or enlightened self-interest that guide their actions. What they have is a fear of consequence and the sense that they have a great deal to lose by going to jail. They're not trying to be particularly good or ethical or moral, so "decent" is a good description of them. This is, of course, a puerile concern for the self and not a concern for how one's actions may adversely impact others. If you have ever noticed how inconsiderate and oblivious most folks are, who drive/walk/shop as though other people don't exist and could not possibly be inconvenienced by their carelessness, this is part of it.

      One explanation of such is Kohlberg's stages of moral development, if you feel like you need a more formal, psychology-based description to appreciate this observation. In a much more intuitive sense, it also reminds me of the quote from Aristotle: "I have gained this by philosophy; that I do without being commanded what others do only from fear of the law."

      --
      It is a miracle that curiosity survives formal education. - Einstein
    5. Re:If nobody gives them a second chance by tool462 · · Score: 4, Insightful

      The cynic in me wants to say that an honest person is someone who hasn't been caught lying yet.

  4. This is not a black to white hat situation by LockeOnLogic · · Score: 5, Interesting

    RTFA this isn't a situtation of some reformed skilled hacker seek a job. These are a bunch of script kiddies trying to weasle their way into a job by pretending to be like Kevin Mitnick. After being turned away several times (justifiably) they then decided to threaten to expose a security vunerability they claimed to have discovered in the companies software. They are black hats through and through.

  5. That's fine by Sycraft-fu · · Score: 3, Insightful

    But there's a big difference between giving someone a second chance and giving them whatever job they want. These guys have already proven that they have some severe ethical problems. That can limit the roles in which a company is willing to let them work. As an example: Would you be ok with these guys working on the database that contains your credit card number, or bank account details? If not then perhaps you can understand why a company wouldn't want them in certain roles.

    So while I'm not saying "Screw them, they should have to beg for food for life," I think they need to accept that they aren't going to be able to be computer security professionals, at least not for some time. Perhaps they need to look at careers away from computers entirely. However if they are staying in the computer field, they are probably going to have to look at jobs that don't involve access to much, maybe helpdesk type positions. Kinds sucks but that's life.

    Trust isn't the kind of thing that you can just get back once you've destroyed it. It takes time to rebuild. They are going to need to spend time working honestly to show that indeed they have learned their lesson and can act in an ethical manner. They can't expect to get a job with access to potentially sensitive data straight off, even if their technical skills are top notch (and I question if that's the case).

  6. Re:"Cojones" by vegiVamp · · Score: 3, Funny

    I do believe you mean "groans".

    Actually, I HOPE you mean "groans".

    --
    What a depressingly stupid machine.