Q&A: 'We are willing to take that risk,' says CEO who hired convicted botnet leader

'Almost all talented developers' push envelope when they're young, says Mahalo's Calacanis

Jason Calacanis, founder and CEO of search engine start-up Mahalo.com Inc., is defending his decision to allow IT staffer John Schiefer to continuing working at Mahalo even after discovering that he was a convicted felon.

Schiefer was sentenced to four years in prison on Wednesday after pleading guilty last April to four felony counts involving illegal access to computers, interception of data and wire fraud. He was the first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud.

Schiefer and his accomplices infected more than 250,000 PCs and stole usernames and passwords that they used to break into PayPal and other financial accounts.

Calacanis, who was at the sentencing, expressed his support for Schiefer in a blog post yesterday, saying he wished that the convicted hacker had been sentenced to supervised home arrest instead of incarceration in a federal penitentiary.

When Mahalo first hired Schiefer, the company didn't know about his criminal background, Calacanis said, adding that when he and other executives found out about Schiefer's crimes some months later, firing him on the spot would have been "the easy choice." But instead of doing that, Calacanis said he decided to give Schiefer another chance after hearing about "how he was abused as a child, his anger issues and how he found some level of peace in being part of the team at Mahalo."

Calacanis also wrote that he thinks Schiefer was "an angry stupid kid" when he launched his botnet attacks and that "almost all talented developers push the envelope when they're young." He said, "Anyone in technology knows this dark, dirty little secret."

In an e-mail interview with Computerworld today, Calacanis spoke further about his continuing support for Schiefer.

There are some who think that Schiefer probably got what was coming to him for his actions. Why was he deserving of a lighter sentence? Without knowing John, I think I would agree that he got what he deserved, and sure, it could have been another year or two. After getting to know him, I can tell you — and in fact, he would tell you — that his behavior was based on a lack of guidance, immaturity and anger. Getting to know him, I've watched him not only grow but flourish while working with a team of intelligent technologists.

You said in your blog that you would have never hired Schiefer or other people like him if you had known of his background during the hiring process. Has this experience changed that outlook? In the past, I would have probably never considered hiring a felon for my start-up. In fact, they would have probably never made it in for an interview. After this experience, I think I've learned something about rehabilitation and the role private industry can play in it.

After this, I would certainly consider someone convicted of computer crimes [for a job]. However, I think you have to look at each case and person individually. Not all hackers are cut from the same cloth.

What's Schiefer's role at your company? John is a systems engineer, which means he works on Web servers. However, it is important to note that he does not have access to our database servers, that all of our password data is encrypted so no one on the development team can access it, and his work is supervised. Also, we are a content site, and we don't deal in sensitive data. He can, in fact, only do harm to us ... not our users. If John wanted to, he could turn off Mahalo, but we're willing to take that risk — we trust him.

In general, what do you think about companies hiring convicted hackers to help them deal with cybersecurity issues? It's fairly clear that many — perhaps most — of the folks who step over the line in the hacker community do so out of a sense of exploration, challenge and the desire to be admired by their peers. These are the exact same reasons why someone becomes an entrepreneur and why they might start a company like Google, Yahoo or Mahalo.

In other words, the core desire in many of these individuals is good, but horribly misdirected. As a society, we have very hard decisions to make about these individuals. They are in fact damaging society through their actions, and our growing digital dependencies only make their actions more significant.

So what, then, is the best way of handling hackers who cross the line? Clearly, we must make examples of people who step over the line, but we must also look with compassion and support to those who are willing to rehabilitate themselves. In this case, I believe John could be put under house arrest and be under constant computer monitoring — at his own expense — and help make the world a better place. I hope his four years in jail don't hurt his progress and that when he leaves jail, he can start his life off where he left it -- as a friend, hard-working team member and a brilliant contributor to society.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon