Mahalo: Our hacker employee is no threat to your privacy
Mahalo CEO Jason Calacanis sent an e-mail Thursday to his followers (also posted on his blog, and worth a read) disclosing that his company mistakenly hired a man convicted of computer crimes but who hasn't yet served his sentence. To retell Calacanis' story with a critical slant, his employee was caught (unusual for hackers) after launching a botnet attack that didn't work. And then he lied--or omitted the telling--about his conviction when he was interviewing at Mahalo.
Instead of firing him outright, Calacanis decided to keep him employed until his prison sentence begins on June 1.
Of course, we are all flawed, we make lots of mistakes in life, and we owe each other every kindness. It's possible that Mahalo's errant hire made one bonehead hacking move and saw the error of his ways, and he'll never do it again--although news reports of his crimes paint a much uglier picture. But it's what Calacanis believes. He says he knows the man, and I admire him for standing up for him, and keeping him employed when the easy thing, for a dozen reasons, would be to fire him.
But that doesn't mean I trust the company Mahalo more now. In fact, knowing that there's a lying, somewhat inept hacker working on Mahalo makes me wonder what personal data at Mahalo could be exposed. Calacanis takes pains in his letter to say that the employee's work is "well-supervised" and limited to simply Mahalo question-and-answer data. However, Mahalo does transact financial business, both with users (they can buy Mahalo Dollars), and of course with advertisers. How walled-off is that transaction data? How good are the employee's watchers? Who's the hacker in this equation, anyhow?
I do not believe in a zero tolerance policy for minor crimes, but my argument with this action is about economics and trust, not morals or ethics or laws. Mahalo, which recently had to lay off staffers to make sure it could weather the recession, is now spending extra supervisory energy watching this hopefully rehabilitated presumably former hacker work on its systems. Although in this particular case one may say that Calacanis is doing one man a kindness and spreading magnanimity and good karma around, one also has to ask: can Mahalo customers trust a business that keeps hackers employed? Can any online business, for that matter, afford to keep a convicted hacker on the payroll?
Rafe Needleman writes about start-ups, new technologies, and Web 2.0 products, as editor of CNET's Webware. E-mail Rafe. 
Perhaps Jason might want to rethink the Employment Application at Mahalo.
Unfortunately, a lot of these dot com companies have no value whatsoever and very often no common sense.
On the subject of him lying on an application, I don't know that that is true, but that could be a valid argument.
There are a number of ex 'black-hat' hackers out there these days, and most of them are doing work which is far more security-oriented then anything John is doing. (This is an assumption. In Jason's e-mail, we are told that no member of the staff has access to anything other than the Mahalo Questions and Answers.) I would assume, after reading the email, that if John was interested in doing something with malicious intent he would not have any easier a time hacking Mahalo than any other kid out on the internet, or a person who was able to gain access to their office via some form of social engineering.
If people are truly worried about ex-hackers working in businesses, they should realize that a large number of people in the IT-Security profession didn't learn everything they know through a book. If don't want to use Mahalo because of this that's your decision, but realize that there are more ex-hackers out there than you think. He was caught, does that make him more or less likely to commit a crime again?
Try the <a href="http://sthrt.com">best homepage</a>
- by superduperuser March 7, 2009 6:48 PM PST
- This is a really clear cut case of where some employer who is close to a person and has made a serious personal mistake is blinding himself to reality, possibly because he is too arrogant to admit he is wrong. The employer is just showing he is naive and conned. (At best. At worst, he has a deep lack of empathy bordering on sociopathy.)
- Like this Reply to this comment
-
(16 Comments)I work in computer security in a trusted position. Thankfully, the best security researchers have some tincture of morality. It is relatively rare to meet the sorts of jerks who are showing themselves so commonly on the web: individuals who embrace an anti-morality. They relish in victimizing innocent people. They boast of how "bad" they are and they are celebrated for this. People think it is all great and fun... until they become the victims.
How people can be so insensitive or lacking of empathy, puzzles me. Perhaps they have lived spoiled lives and simply never been seriously victimized. If so, such hypocrites are the sort who deeply deserve to be.
Identity crime is not a joke. It is a nightmare. Maybe if this employer had his identity stolen he would be a little less cavalier about embracing his immoral employee... though whether the employee has simply conned the man or the man has not the humility to admit he is wrong, I don't know.
There are criminals who victimize innocent people and then there are those who celebrate them or simply do nothing. The two sorts work hand in hand. Society would be darned well near perfect without such heartless leeches.
Nobody's perfect, but there are clear boundaries of what can be expected of people and not. This kid went well beyond all clear boundaries, probably relishing the very fact that he is ruining people's lives. That is the sick fact of these sorts of criminals.
People who do business with such a company are leaving their brains at the door.
As for forgiveness, compassion... this is out of the picture in this case. The kid has not shown any sort of remorse or concern. Unfortunately, teaching the morally depraved such lessons does not come from prison. And... this is not the sort of juvenile hacking that people can just laugh off he was engaged in. This kid didn't do no harm. And he wasn't even really a kid at all.