Mahalo CEO defends IT staffer who ran botnet before being hired

Search engine exec says he hopes to offer John Schiefer a new job after sentence is up

After Mahalo.com Inc. employee John Schiefer was sentenced this week to four years in prison for leading a botnet scheme before he was hired by the search engine start-up, Mahalo's CEO said he hopes to give Schiefer another job once the sentence is up.

Schiefer was sentenced Wednesday in U.S. District Court in Los Angeles after pleading guilty last April to hacking, fraud and wiretapping charges. He was arrested in 2007 as part of Operation Bot Roast II, an FBI initiative aimed at finding and catching botnet operators.

The case against Schiefer marked the first time that someone had been charged with operating a botnet under federal wiretapping laws.

At the time of his arrest, Schiefer, who is now 27, worked as a security consultant at 3G Communications Corp., a Los Angeles-based network services provider. Court documents say that he used both home and work computers as part of the botnet scheme, in which he and several accomplices infected as many as 250,000 computers with malware and then stole usernames, passwords and financial-account data from the systems.

When Schiefer later was hired by Mahalo, the Santa Monica, Calif.-based company's executives weren't aware of his criminal activities, according to a blog post written yesterday by founder and CEO Jason Calacanis.

Mahalo has a "rigorous hiring process" that includes an average of five to eight interviews and three to five reference checks, Calacanis wrote in his blog. Schiefer passed that process "with flying colors," the CEO said. But he added that Mahalo CTO Mark Jeffrey "screwed up by not doing a simple Google search on John’s name."

Nonetheless, Calacanis stood by Schiefer, saying in the post that Mahalo learned of his crimes months after he was hired and decided not to take "the easy choice" of firing him — a decision that Calacanis said he doesn't regret.

"I consider myself a fairly decent judge of character, and after spending months with John, I’m convinced he was an angry stupid kid when he launched his botnet attack (which did .000000001% of the damage it could have)," Calacanis wrote. "Now he’s an adult who just wants to make a decent living, spend time with his significant other and breathe the clean air off the Pacific Ocean by our offices in Santa Monica."

Schiefer, who is due to report to prison on June 1, is continuing to work at Mahalo in the meantime, according to Calacanis, who said that the convicted hacker "is well-supervised" and that the company has "strict security policies" and doesn't store sensitive data about its customers.

Calacanis also indicated that Mahalo won't shut the door on Schiefer after he goes to prison. "When he comes out, I hope to be able to offer him a job and that we can work together again," Calacanis wrote. "Life is short, we all make mistakes and I'm glad we've been given the opportunity to work with someone who needs the help and guidance."

According to federal prosecutors, Schiefer and his accomplices used the botnet that they built to snoop in on Internet traffic between compromised computers and financial institutions. They then would use stolen usernames and passwords to make purchases or drain the bank and PayPal accounts of their victims.

Schiefer had several partners in the scheme, some of them minors whom he "bullied ... into participating in the crimes," according to court documents. For example, when a minor referred to as "Adam" expressed reservations about taking stolen money from PayPal, Schiefer told him to "quit being a bitch and claim it," according to the documents.

Online, Schiefer was known as "Acidstorm," and his MSN Messenger handle included a tagline that read, "Remember the name or feel the pain." According to prosecutors, he also used the botnet to install adware on compromised PCs, scamming a Netherlands-based online marketing company in the process.

In addition, Schiefer launched distributed denial-of-service attacks via the botnet and claimed in a meeting with the FBI that he had knocked the Web site of the Los Angeles Times offline, prosecutors said. And an FBI affidavit filed in the case said that Schiefer accessed computers at an unnamed client of 3G Communications without authorization.

Schiefer seemed happy with the money he was making from his scams. According to evidence entered into court, another of his instant messaging signatures read, "Crime pays, and it also has an excellent benefits package."

Despite his previous criminal activities, Schiefer hopes to seek future employment in the information security field, prosecutors said.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon