Mariposa Botmasters Sought Real Jobs After Arrest 92
An anonymous reader writes "Two of the three Spanish men arrested in February for their alleged role in operating the massive Mariposa botnet later sought jobs at the Spanish security firm that previously had helped get them arrested. From Krebsonsecurity.com: 'Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly"). Now, here the two Mariposa curators were at Panda's headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.' The story concludes with a brief response from Netkairo, who acknowledges seeking the job at Panda because he is broke now that his moneymaking machine has been dismantled."
Comment removed (Score:5, Informative)
Re: (Score:1, Insightful)
If by "jobhunting" you mean "willingly fucking up the computers of 12 million people, then expecting a pity party when they get caught," then yes.
"Cojones" (Score:2)
I think that's what *most* people might call it in those parts, 15+% unemployment notwithstanding.
Re: (Score:1)
Re: (Score:1, Offtopic)
Wrong. Testiculos is the proper word, AKA Testicles. In Spain, they say that someone "Tiene cojones" (literally has balls), as in "is very brave".
The Mexicans don't use that expression that much. Actually, Mexicans don't speak Spanish at all. They speak Mexican, which is a mixture of bad spanish, completely made up words, engrish, plus groins and other guttural sounds.
Re:"Cojones" (Score:4, Funny)
Actually, I HOPE you mean "groans".
Re: (Score:1)
Re: (Score:1, Funny)
He's not a racist bigot, he's a Spaniard.
Re: (Score:1, Insightful)
I'm not even going to begin to address the evolution of language and divergence of modern dialects of english, however to deny that such changes have occurred is misguided. While the colonial use of english in north america may remain mutually intelligible with that of britain and english speaking europeans, this is largely due to the influence of modern television. Maintaining that it is still the same spoken, let alone written language is simply ridiculous. You are unlikely to agree with this, however the
Re: (Score:2)
Actually, he's mostly correct. The dialect they speak is Español mexicano. I've known Cubans (immigrants or 1st generation American) who have a very hard time understanding Mexican Spanish, and vice versa.
Americans don't speak British English, they speak American English. Australians speak Australian English. Within each of those are other dialects. For a lot of people, if they grew up in an area that had a distinct dialect with few others having other dialects
Re: (Score:2)
You're just getting into semantics and finer tastes. :)
By definition, it's suppose to be 2/3 highball glass of ice, 3 parts coke, 1 part white rum. It will be slightly lighter than normal coke.
If I'm mixing it at home, my mix is usually a pint glass, 3 ice cubes, 2/3 rum, top with coke. It should be a very light tan in color. That gives me a nice drink that I can work on for about an hour so I have time to socialize with guests.
A typical bar mix
Re: (Score:2)
Coke or Soda both work, but if you want to drink your 'Pop', I don't want to hear about it and if you insist on doing it in public I hope you get arrested for incest.
Having grown up in Oregon, theoretically I should accept and embrace drinking "Pop", but it will never happen.
Not everything is regional.
Re: (Score:2)
Just because you don't follow the local slang doesn't mean it doesn't exist. :) Growing up in the south, I've avoided the "y'all", and most of the southern drawl, but I've heard it enough that it's easy to slip into. At very least, I understand every word people say. If you've ever watched "King of the Hill", I actually understand what "Boomhauer" says. Well, what he's saying. The random noises between his words is actually how some people speak.
From what I've seen, "pop"
Re: (Score:2)
I am not Spanish, I was born, raised and am living in Argentina.
I am not ignorant. I speak several languages, Spanish is my native tongue, and I can express myself perfectly in Spanish.
I am not racist. Discriminating and recognizing the particularities of a certain country are different things. Mexicans tend to be loud, poorly educated, highly religious, and not very subtle. You can spot them from a mile away.
In South America, there are very well spoken languages. Peru certainly has the most beautiful and c
Re: (Score:1)
Re: (Score:2)
Ah crap! I must have hit the post anonymously box by mistake. That was me. ;)
Oh, and we don't use "vosotros" either, we use
"Ustedes".
Actually, we don't use "Tu" as the second person singular pronoun like you do, we use "Vos".
While a Mexican would say:
Tu eres Latinoamericano.
We would say:
Vos sos Latinoamericano.
Or "Che, boludo, vos sos re sudaca" :P
Re: (Score:2)
Kevin Mitnick (Score:4, Insightful)
What about Kevin Mitnick? He is making a living by switching his hat from black to white, and no one had a problem with that. It would seem that Panda might do better having a few people who know how to make malware so successfully. The question, of course, is "can you trust them?" and only they can answer that.
What did you expect the guys to do for jobs, flip burgers? Become stock brokers? Of course they would pursue careers in security. It seems they must know a fair amount about it to get away with so much, for so long. They certainly know more than someone coming straight from a CS degree.
Re:Kevin Mitnick (Score:5, Informative)
TFA makes the point that these crooks were using purchased code. This indicates that they aren't very sophisticated. Their market value would appear to be zilch.
Re:Kevin Mitnick (Score:4, Informative)
Mitnick used social engineering, not reverse engineering, to gain access to networks. I don't think we have enough information to know what skillz they have or do not have. Either way, I don't *blame* them for trying to get into the security biz for a job. I didn't say I would be hiring them, just said it shouldn't be shocking that they are trying to enter a field they know at least something about.
Re: (Score:2, Informative)
I had my share of run-ins with Kevin back in the days when he was actively hacking Netcom and the Well, and while it's true that he was skilled with social engineering he should also not be portrayed as a clueless script kiddie who lacked technical skills either. In fact I think his technical experience only served to strenghten his social engineering skills.
Now it was true that UNIX was not his forte, (at least that was my observation when I watched him hack into, and subsequently kicked him out of an IRI
Re: (Score:2)
Pretty much, its one thing to make a spam bot that doesn't directly harm the user, its another to use some hack package with a gui to sell services to the highest bidder and get caught at it and traced. I wouldn't hire them based on their displayed level of ability, security concerns aside. That being said, the internet is not the wild west of 10 years ago, black hats now days aren't inventive college students lacking malice, but profiteers more akin to pirates, and I mean the real kind, not software sharer
Re: (Score:1)
Mitnick founded own firm. He didn't go to work with Tsutomu Shimomura.
Re: (Score:3, Insightful)
I don't think I'd trust these guys in a security firm more than I'd trust a pickpocket with my wallet.
There are white hats and black hats. But also, there are grey hats, ones who will write malware and then turn around for a pretty penny to build security for it. Let's just say, I wouldn't give someone that opportunity, especially with their history.
Re:Kevin Mitnick (Score:5, Insightful)
From the article:
Clearly in these guy's case, you can't.
Re: (Score:2)
Considering how much of a speed and memory hog Panda’s all-and-everything suit is, I’d say, they already know very well, how to create malware. ;)
Re: (Score:2)
Mitnick opened his own firm and tried to build trust through his own company's reputation. It's quite another to ask a company to stake their reputation on you when they really don't know how much trust they can invest in you. Especially in the security field, trust and reputation are paramount. Without either, you might was well be a bot herder. It's risky enough hiring employees in the security field without going against gut instinct and hiring someone with a previous history like this. These guys a
stupidity and dishonesty trumps knowledge (Score:2)
What about Kevin Mitnick? He is making a living by switching his hat from black to white, and no one had a problem with that. It would seem that Panda might do better having a few people who know how to make malware so successfully. The question, of course, is "can you trust them?" and only they can answer that.
What did you expect the guys to do for jobs, flip burgers? Become stock brokers? Of course they would pursue careers in security. It seems they must know a fair amount about it to get away with so much, for so long. They certainly know more than someone coming straight from a CS degree.
Fuck that. I wouldn't hire these people even if they paid me. Knowledge is not equal to intelligence, common sense, and above all, ethics that you can bet your reputation and business on as this following quote from TFA reveals:
Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.
“So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matterjust the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”
When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information.
Desperately stupid geek playing racketeering because he can't find a decent job, even if it is for flipping burguers? Nerd-meet-Tony-Soprano? Only a moron would hire that type of person knowing a priori the type of person he is.
Re: (Score:2)
Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills.
Knowledge my ass.
Interview (Score:2)
If nobody gives them a second chance (Score:5, Insightful)
...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.
Re:If nobody gives them a second chance (Score:5, Informative)
From the article:
This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.
I can see Panda potentially using them as consultants of a sort, and very carefully maintaining an arms-length relationship with them that's clearly about paying them for specific analyses or something. But hire them as employees? It'd be like planting land mines under the office carpet.
Re: (Score:1)
This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.
So your argument is "Those People aren't like the rest of us"? LOL.
Re: (Score:1, Insightful)
There's plenty of groups in society that point to other groups and say "Those people aren't like the rest of us".
Re: (Score:2)
So your argument is "Those People aren't like the rest of us"? LOL.
Close. It's "these people have affirmatively chosen to separate themselves from the rest of us." The difference is subtle, but critical.
Re: (Score:2)
Any rebuttal that ends with "LOL" is sure to be devastating.
"Those people" is a functional definition, not an intrinsic one like race or sexual orientation, so I'm perfectly comfortable saying "those people". They're self-selecting by acting criminal. They break laws. Someone who's broken laws in the past is not, in general, trustworthy of not breaking the same laws again. As someone observed above, part of the consequences of breaking a law is that you need to regain that trust with a long period of de
I wouldn't even do that. (Score:2)
Ummm, I'd be wary of doing that.
And that is exactly why. You'd NEVER be able to trust anything from those fools. So any task you'd assign them, you'd have to assign someone SMARTER than them to check it.
Why waste time and money?
Re: (Score:2)
You'd NEVER be able to trust anything from those fools. So any task you'd assign them, you'd have to assign someone SMARTER than them to check it.
There are some problems where finding a solution is difficult, while checking that solution is easy. A lot of these are funny math problems you'd have a computer solve, but maybe there are some useful similar problems that are sufficiently poorly defined to require a human (or strong AI, which we don't currently have). I suppose "either write a machine-checkable proof that this code is secure, or demonstrate that it isn't" might be such a problem, assuming anyone wanted to pay for that amount of verificatio
Re: (Score:2)
It's a fair point. I was thinking of things like paying them when they produce verifiable use cases of security holes--something where the work product is a reproducible vulnerability (and thus easily checked), or a theoretical approach to a security problem. In other words, something where the work stands on its own as a valuable thing. You wouldn't trust such consultants with auditing or verifying something themselves.
Re:If nobody gives them a second chance (Score:5, Interesting)
The difference between criminals and average people is that the criminals believed that they had a payoff combined with a low chance of getting caught and/or they believe they have nothing to lose. Otherwise, most average non-criminals don't have much of an internal morality, set of ethical principles, or enlightened self-interest that guide their actions. What they have is a fear of consequence and the sense that they have a great deal to lose by going to jail. They're not trying to be particularly good or ethical or moral, so "decent" is a good description of them. This is, of course, a puerile concern for the self and not a concern for how one's actions may adversely impact others. If you have ever noticed how inconsiderate and oblivious most folks are, who drive/walk/shop as though other people don't exist and could not possibly be inconvenienced by their carelessness, this is part of it.
One explanation of such is Kohlberg's stages of moral development [wikipedia.org], if you feel like you need a more formal, psychology-based description to appreciate this observation. In a much more intuitive sense, it also reminds me of the quote from Aristotle: "I have gained this by philosophy; that I do without being commanded what others do only from fear of the law."
Re: (Score:2)
The CEO of Enron is dead.
Re: (Score:3, Insightful)
There's a large number of people that have felonies for killing someone with their car that you exclude because they,"don't have normal social controls in their heads that make them worthwhile employees"
these people got nabbed doing what you do every day, you are just lucky you haven't killed someone yet. I'm betting you speed, talk on the cellphone, or have had your attention taken away from driving regularly.
So roll yourself into that nice big generic pool you have there.
There are some people that by ba
Re: (Score:2)
How typical of /.: A comment made in a specific context is uselessly generalized and found to be a useless generalization.
However, I'll cop to not specifically saying "criminals whose crime was deliberate and relevant to the employment opportunity under discussion."
Re: (Score:2)
Re: (Score:3, Interesting)
There are always jobs available for ex-cons in carnival operations and commercial fishing.
Seriously, there are some ex-cons who turn their lives around and do deserve a second chance. For them, they face the tough road of taking crap work for several years until they can put some distance between themselves and their crime, and show that they've truly went straight (can take as long as ten years or more for many employers to recognize that you're clearly not a criminal anymore).
But it's been my experience t
Re: (Score:2)
I wouldn't hire a criminal to do legitimately what he did unlawfully, except with very stringent controls in place. I might hire the Spanish hackers in question for their expertise, but it would be a zero trust relationship--say, paid for each reproducible and unknown vulnerability they found and documented.
They can always find jobs in other fields where their lawbreaking isn't at the heart of their job.
Re: (Score:3, Interesting)
Someone has to cook the french fries. (Score:2, Insightful)
>...Then a life of crime is all that awaits.
That may be, but sometimes there just are no second chances, and it's a shame more people don't consider the consequences of their actions before they act.
But they don't have to turn to a life of crime. Someone has to cook the french fries, after all.
Re: (Score:2, Insightful)
Let's see you survive on that salary.
A large number of people (myself included) have commited crimes out of desperation to survive when no other options were available due to circumstances outside of their control. Hell, the average American commits at LEAST 1 felony a day. That's enough to take your vote and arms away for LIFE.
Prison is an industry in America. Prisons are private corporations that will happily grease the palms of a judge to send more people to their prison. This has been demonstrated a
Re: (Score:3, Insightful)
Someone has to cook the french fries, after all.
In this case, given that tried to blackmail them after not being hired, yes. In general though, I'd say past criminal record is a terrible method of deciding who cooks the fries and who gets to move ahead. Some crimes anyway. Some corporate fraud, sure, force them to live under a bridge.
you're making an assumption (Score:2, Insightful)
that only economic pressure leads one to crime. yes, economic pressure does lead some to a life of crime. but there are other motivations, such as: simple lack of ethics and/ or morals
therefore its difficult to employ these men because they have proven they have no problems trangressing against other people's rights. once you have proven that you are willing to do that, anyone in their right mind would hesitate to hire you for anything. for to let such a person into your organization is to basically invite
Re: (Score:1, Informative)
How is subversive speech stepping on anyone's rights? Hell I'm trying to secure them. How is an open bottle of liquor in my TRUNK that was given to me by a friend to take home stepping on anyone's rights? Get a clue. This shit can happen to YOU. Don't be so quick to judge someone you don't know. We all have demons and any one of us could be locked up for just about anything at any time these days whether it's legit or not. Just depends on their mood. Even if it doesn't stick you're ruined.
Hell, in S
That's fine (Score:4, Insightful)
But there's a big difference between giving someone a second chance and giving them whatever job they want. These guys have already proven that they have some severe ethical problems. That can limit the roles in which a company is willing to let them work. As an example: Would you be ok with these guys working on the database that contains your credit card number, or bank account details? If not then perhaps you can understand why a company wouldn't want them in certain roles.
So while I'm not saying "Screw them, they should have to beg for food for life," I think they need to accept that they aren't going to be able to be computer security professionals, at least not for some time. Perhaps they need to look at careers away from computers entirely. However if they are staying in the computer field, they are probably going to have to look at jobs that don't involve access to much, maybe helpdesk type positions. Kinds sucks but that's life.
Trust isn't the kind of thing that you can just get back once you've destroyed it. It takes time to rebuild. They are going to need to spend time working honestly to show that indeed they have learned their lesson and can act in an ethical manner. They can't expect to get a job with access to potentially sensitive data straight off, even if their technical skills are top notch (and I question if that's the case).
Re:If nobody gives them a second chance (Score:4, Interesting)
"Potentially talented"? One of the most common memes I keep hearing is that malware writers are programming geniuses who need only a guiding hand to become productive members of society.
I've met or worked with a lot of very sharp programmers over the years. All of them made a good salary from their skills. A few of them have made a significant amount of money. Any one of them would be capable of creating his own botnet without difficulty. Furthermore, many of them are sharp enough to pull off some impressive social engineering to gain access to systems, a la Kevin Mitnick.
But none of them did that, because they had the ethics to understand that subverting millions of other peoples' computers for your own financial gain is wrong. Not just illegal, but wrong.
If these botnet writers are so brilliant, where are the useful programs they have written? That's right, they don't exist. These guys are more likely marginally talented shmucks who have demonstrated an ability that hundreds of thousands of more talented programmers could easily replicate. All they lacked were the morals to do the right thing.
If these guys are actually good programmers who want to be productive members of society, let them prove it writing and marketing useful software on their own, instead of malware. But let them on my systems, or deal with my customers? Not in a million years. I can hire honest programmers for that.
Re:If nobody gives them a second chance (Score:5, Insightful)
The cynic in me wants to say that an honest person is someone who hasn't been caught lying yet.
Re: (Score:2)
"Potentially talented"? One of the most common memes I keep hearing is that malware writers are programming geniuses who need only a guiding hand to become productive members of society.
I've met or worked with a lot of very sharp programmers over the years. All of them made a good salary from their skills. A few of them have made a significant amount of money. Any one of them would be capable of creating his own botnet without difficulty. Furthermore, many of them are sharp enough to pull off some impressive social engineering to gain access to systems, a la Kevin Mitnick.
But none of them did that, because they had the ethics to understand that subverting millions of other peoples' computers for your own financial gain is wrong. Not just illegal, but wrong.
Maybe those were just smart enough to know that they will be caught eventually?
The problem with these two guys is obviously that they had no plan B for when and after they were being caught.
If you have no plan B, you are essentially gambling - with your own future in this case. That's not very smart.
Re: (Score:3, Insightful)
Frankly, I think you (and several others) are being overly cynical.
I've worked with a lot of engineering professionals in my career. What I have found is that the overwhelming majority of engineers have a strong moral / ethical compass. Most of them try to do the right thing, and do a good job. And in general, the higher the level of engineering competence, the stronger the moral compass.
Most engineers are not closet sociopath
Re: (Score:2)
...Then a life of crime is all that awaits.
I'm sure there's ditches that need digging in Spain. These guys can pick up a shovel and go earn an honest living.
This is not a black to white hat situation (Score:5, Interesting)
Re: (Score:2, Funny)
It would be like a jewlrey store hiring a known Kleptomaniac. If you cannot trust an employee, why hire them.
They'd like to be black hats. (Score:2)
But right now they're just script-kiddies.
If they HAD discovered an exploit ... why didn't they reveal that when they went for the job in the first place? Do you want employees who conceal vulnerabilities?
If they have NOT discovered an exploit ... then they're just trying to use fear to get a paycheck. Not the kind of employees you'd want.
Re: (Score:2)
The real Jobs in in Cupertino.
No, no.. In Cupertino, it's black turtlenecks .
well (Score:1)
Mari had a little posa (Score:2)
The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly").
I'm sorry, was the definition of mariposa relevant somehow?
Arrested? Convicted? Jailed? (Score:2)
OK, I only read the summary, and haven't followed the whole story that closely, but if these people were arrested in February, why are they not still in jail?
Financial Genius...or not. (Score:2)
So, let me get this straight. You both were in charge of one of the most "successful" botnets in history, yet couldn't even manage to save (read launder) enough money from this "moneymaking machine" to last more than two fucking months of no "income"?!?
Something tells me they should have at least thought about hiring a bean counter instead of pissing all their money away on strippers and blow.