Forgot your password?
typodupeerror
Botnet Security IT News

Mariposa Botmasters Sought Real Jobs After Arrest 92

Posted by Soulskill
from the unusual-recruitment-practices dept.
An anonymous reader writes "Two of the three Spanish men arrested in February for their alleged role in operating the massive Mariposa botnet later sought jobs at the Spanish security firm that previously had helped get them arrested. From Krebsonsecurity.com: 'Corrons, a technical director and blogger for Spanish security firm Panda Security, said he received a visit from the hackers on the morning of March 22. The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly"). Now, here the two Mariposa curators were at Panda's headquarters in Bilbao, their resumes in hand, practically begging for a job, Corrons said.' The story concludes with a brief response from Netkairo, who acknowledges seeking the job at Panda because he is broke now that his moneymaking machine has been dismantled."
This discussion has been archived. No new comments can be posted.

Mariposa Botmasters Sought Real Jobs After Arrest

Comments Filter:
  • by CRCulver (715279) <crculver@christopherculver.com> on Monday May 03, 2010 @01:35PM (#32074558) Homepage
    When Spain has seen incredible joblessness [bbc.co.uk] recently, you can't blame people for being a little desparate in their jobhunting.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      If by "jobhunting" you mean "willingly fucking up the computers of 12 million people, then expecting a pity party when they get caught," then yes.

    • I think that's what *most* people might call it in those parts, 15+% unemployment notwithstanding.

      • That's more of a Mexican latino thing, i think testiculos is more apropos
        • Re: (Score:1, Offtopic)

          by GNUALMAFUERTE (697061)

          Wrong. Testiculos is the proper word, AKA Testicles. In Spain, they say that someone "Tiene cojones" (literally has balls), as in "is very brave".

          The Mexicans don't use that expression that much. Actually, Mexicans don't speak Spanish at all. They speak Mexican, which is a mixture of bad spanish, completely made up words, engrish, plus groins and other guttural sounds.

          • by vegiVamp (518171) on Monday May 03, 2010 @03:50PM (#32076150) Homepage
            I do believe you mean "groans".

            Actually, I HOPE you mean "groans".
    • by elrous0 (869638) *
      I picture a bank-robber walking into the bank he robbed and asking for a job as a guard by saying "Hey, who knows more about robbing this bank than me, right?"
  • Kevin Mitnick (Score:4, Insightful)

    by Pharmboy (216950) on Monday May 03, 2010 @01:43PM (#32074632) Journal

    What about Kevin Mitnick? He is making a living by switching his hat from black to white, and no one had a problem with that. It would seem that Panda might do better having a few people who know how to make malware so successfully. The question, of course, is "can you trust them?" and only they can answer that.

    What did you expect the guys to do for jobs, flip burgers? Become stock brokers? Of course they would pursue careers in security. It seems they must know a fair amount about it to get away with so much, for so long. They certainly know more than someone coming straight from a CS degree.

    • Re:Kevin Mitnick (Score:5, Informative)

      by MarkvW (1037596) on Monday May 03, 2010 @01:52PM (#32074760)

      TFA makes the point that these crooks were using purchased code. This indicates that they aren't very sophisticated. Their market value would appear to be zilch.

      • Re:Kevin Mitnick (Score:4, Informative)

        by Pharmboy (216950) on Monday May 03, 2010 @01:56PM (#32074820) Journal

        Mitnick used social engineering, not reverse engineering, to gain access to networks. I don't think we have enough information to know what skillz they have or do not have. Either way, I don't *blame* them for trying to get into the security biz for a job. I didn't say I would be hiring them, just said it shouldn't be shocking that they are trying to enter a field they know at least something about.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          I had my share of run-ins with Kevin back in the days when he was actively hacking Netcom and the Well, and while it's true that he was skilled with social engineering he should also not be portrayed as a clueless script kiddie who lacked technical skills either. In fact I think his technical experience only served to strenghten his social engineering skills.

          Now it was true that UNIX was not his forte, (at least that was my observation when I watched him hack into, and subsequently kicked him out of an IRI

      • Pretty much, its one thing to make a spam bot that doesn't directly harm the user, its another to use some hack package with a gui to sell services to the highest bidder and get caught at it and traced. I wouldn't hire them based on their displayed level of ability, security concerns aside. That being said, the internet is not the wild west of 10 years ago, black hats now days aren't inventive college students lacking malice, but profiteers more akin to pirates, and I mean the real kind, not software sharer

    • by tokul (682258)

      What about Kevin Mitnick

      Mitnick founded own firm. He didn't go to work with Tsutomu Shimomura.

    • Re: (Score:3, Insightful)

      I don't think I'd trust these guys in a security firm more than I'd trust a pickpocket with my wallet.

      There are white hats and black hats. But also, there are grey hats, ones who will write malware and then turn around for a pretty penny to build security for it. Let's just say, I wouldn't give someone that opportunity, especially with their history.

    • Re:Kevin Mitnick (Score:5, Insightful)

      by jjohnson (62583) on Monday May 03, 2010 @01:58PM (#32074836) Homepage

      The question, of course, is "can you trust them?" and only they can answer that.

      From the article:

      When it became clear that Panda wasn't interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company's cloud anti-virus software and hinting that he planned to publish the information.

      Clearly in these guy's case, you can't.

    • Considering how much of a speed and memory hog Panda’s all-and-everything suit is, I’d say, they already know very well, how to create malware. ;)

    • by bl8n8r (649187)

      Mitnick opened his own firm and tried to build trust through his own company's reputation. It's quite another to ask a company to stake their reputation on you when they really don't know how much trust they can invest in you. Especially in the security field, trust and reputation are paramount. Without either, you might was well be a bot herder. It's risky enough hiring employees in the security field without going against gut instinct and hiring someone with a previous history like this. These guys a

    • What about Kevin Mitnick? He is making a living by switching his hat from black to white, and no one had a problem with that. It would seem that Panda might do better having a few people who know how to make malware so successfully. The question, of course, is "can you trust them?" and only they can answer that.

      What did you expect the guys to do for jobs, flip burgers? Become stock brokers? Of course they would pursue careers in security. It seems they must know a fair amount about it to get away with so much, for so long. They certainly know more than someone coming straight from a CS degree.

      Fuck that. I wouldn't hire these people even if they paid me. Knowledge is not equal to intelligence, common sense, and above all, ethics that you can bet your reputation and business on as this following quote from TFA reveals:

      Corrons said he met with with Netkairo again at Panda’s offices, but said he repeated his previous statement that the company could not hire someone who had been accused of running a botnet.

      “So he says to me, ‘But we still haven’t been charged,’ Corrons recalled. “I told him, ‘It doesn’t matterjust the fact that you are involved is a problem when it comes to working for any serious security company.’ And what he then came out with says a lot about him. He said, “Yeah, but nobody else knows that.”

      When it became clear that Panda wasn’t interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company’s cloud anti-virus software and hinting that he planned to publish the information.

      Desperately stupid geek playing racketeering because he can't find a decent job, even if it is for flipping burguers? Nerd-meet-Tony-Soprano? Only a moron would hire that type of person knowing a priori the type of person he is.

      • by elnyka (803306)
        And to boot:

        Corrons said both Netkairo and Ostiator told him that while they did indeed maintain the Mariposa botnet, they did not develop the botnet code and had relatively few technical skills.

        Knowledge my ass.

  • I can imagine how the interview went: http://www.youtube.com/watch?v=3a7C2EtErYQ [youtube.com]
  • by pegasustonans (589396) on Monday May 03, 2010 @01:45PM (#32074662)

    ...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.

    • by jjohnson (62583) on Monday May 03, 2010 @01:52PM (#32074768) Homepage

      From the article:

      When it became clear that Panda wasn't interested in hiring him, Netkairo changed his tune, Corrons said, claiming he had found vulnerabilities in the company's cloud anti-virus software and hinting that he planned to publish the information.

      This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.

      I can see Panda potentially using them as consultants of a sort, and very carefully maintaining an arms-length relationship with them that's clearly about paying them for specific analyses or something. But hire them as employees? It'd be like planting land mines under the office carpet.

      • This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.

        So your argument is "Those People aren't like the rest of us"? LOL.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          There's plenty of groups in society that point to other groups and say "Those people aren't like the rest of us".

        • So your argument is "Those People aren't like the rest of us"? LOL.

          Close. It's "these people have affirmatively chosen to separate themselves from the rest of us." The difference is subtle, but critical.

        • by jjohnson (62583)

          Any rebuttal that ends with "LOL" is sure to be devastating.

          "Those people" is a functional definition, not an intrinsic one like race or sexual orientation, so I'm perfectly comfortable saying "those people". They're self-selecting by acting criminal. They break laws. Someone who's broken laws in the past is not, in general, trustworthy of not breaking the same laws again. As someone observed above, part of the consequences of breaking a law is that you need to regain that trust with a long period of de

      • I can see Panda potentially using them as consultants of a sort, and very carefully maintaining an arms-length relationship with them that's clearly about paying them for specific analyses or something.

        Ummm, I'd be wary of doing that.

        It'd be like planting land mines under the office carpet.

        And that is exactly why. You'd NEVER be able to trust anything from those fools. So any task you'd assign them, you'd have to assign someone SMARTER than them to check it.

        Why waste time and money?

        • You'd NEVER be able to trust anything from those fools. So any task you'd assign them, you'd have to assign someone SMARTER than them to check it.

          There are some problems where finding a solution is difficult, while checking that solution is easy. A lot of these are funny math problems you'd have a computer solve, but maybe there are some useful similar problems that are sufficiently poorly defined to require a human (or strong AI, which we don't currently have). I suppose "either write a machine-checkable proof that this code is secure, or demonstrate that it isn't" might be such a problem, assuming anyone wanted to pay for that amount of verificatio

        • by jjohnson (62583)

          It's a fair point. I was thinking of things like paying them when they produce verifiable use cases of security holes--something where the work product is a reproducible vulnerability (and thus easily checked), or a theoretical approach to a security problem. In other words, something where the work stands on its own as a valuable thing. You wouldn't trust such consultants with auditing or verifying something themselves.

      • by causality (777677) on Monday May 03, 2010 @02:22PM (#32075072)

        This is why you don't hire criminals, ex or otherwise. Pretty much by definition, they don't have normal social controls in their heads that make them worthwhile employees.

        The difference between criminals and average people is that the criminals believed that they had a payoff combined with a low chance of getting caught and/or they believe they have nothing to lose. Otherwise, most average non-criminals don't have much of an internal morality, set of ethical principles, or enlightened self-interest that guide their actions. What they have is a fear of consequence and the sense that they have a great deal to lose by going to jail. They're not trying to be particularly good or ethical or moral, so "decent" is a good description of them. This is, of course, a puerile concern for the self and not a concern for how one's actions may adversely impact others. If you have ever noticed how inconsiderate and oblivious most folks are, who drive/walk/shop as though other people don't exist and could not possibly be inconvenienced by their carelessness, this is part of it.

        One explanation of such is Kohlberg's stages of moral development [wikipedia.org], if you feel like you need a more formal, psychology-based description to appreciate this observation. In a much more intuitive sense, it also reminds me of the quote from Aristotle: "I have gained this by philosophy; that I do without being commanded what others do only from fear of the law."

      • Re: (Score:3, Insightful)

        by Lumpy (12016)

        There's a large number of people that have felonies for killing someone with their car that you exclude because they,"don't have normal social controls in their heads that make them worthwhile employees"

        these people got nabbed doing what you do every day, you are just lucky you haven't killed someone yet. I'm betting you speed, talk on the cellphone, or have had your attention taken away from driving regularly.

        So roll yourself into that nice big generic pool you have there.

        There are some people that by ba

        • by jjohnson (62583)

          How typical of /.: A comment made in a specific context is uselessly generalized and found to be a useless generalization.

          However, I'll cop to not specifically saying "criminals whose crime was deliberate and relevant to the employment opportunity under discussion."

      • by iamhassi (659463)
        So if you don't hire criminals, what do you think should be done with them?
        • Re: (Score:3, Interesting)

          by elrous0 (869638) *

          There are always jobs available for ex-cons in carnival operations and commercial fishing.

          Seriously, there are some ex-cons who turn their lives around and do deserve a second chance. For them, they face the tough road of taking crap work for several years until they can put some distance between themselves and their crime, and show that they've truly went straight (can take as long as ten years or more for many employers to recognize that you're clearly not a criminal anymore).

          But it's been my experience t

        • by jjohnson (62583)

          I wouldn't hire a criminal to do legitimately what he did unlawfully, except with very stringent controls in place. I might hire the Spanish hackers in question for their expertise, but it would be a zero trust relationship--say, paid for each reproducible and unknown vulnerability they found and documented.

          They can always find jobs in other fields where their lawbreaking isn't at the heart of their job.

    • Re: (Score:3, Interesting)

      by crow_t_robot (528562)
      EXACTLY. This is exactly how Carl Gugasian began his 30-year career of bank robbery [ http://en.wikipedia.org/wiki/Carl_Gugasian [wikipedia.org] ] He was told that he would never get a legitimate job because of a juvenile robbery offense so he went on to become, arguably, the world's greatest bank robber for 30 years. He ended up being caught due to a total fluke.
    • >...Then a life of crime is all that awaits.

      That may be, but sometimes there just are no second chances, and it's a shame more people don't consider the consequences of their actions before they act.

      But they don't have to turn to a life of crime. Someone has to cook the french fries, after all.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Let's see you survive on that salary.

        A large number of people (myself included) have commited crimes out of desperation to survive when no other options were available due to circumstances outside of their control. Hell, the average American commits at LEAST 1 felony a day. That's enough to take your vote and arms away for LIFE.

        Prison is an industry in America. Prisons are private corporations that will happily grease the palms of a judge to send more people to their prison. This has been demonstrated a

      • Re: (Score:3, Insightful)

        by interkin3tic (1469267)

        Someone has to cook the french fries, after all.

        In this case, given that tried to blackmail them after not being hired, yes. In general though, I'd say past criminal record is a terrible method of deciding who cooks the fries and who gets to move ahead. Some crimes anyway. Some corporate fraud, sure, force them to live under a bridge.

    • that only economic pressure leads one to crime. yes, economic pressure does lead some to a life of crime. but there are other motivations, such as: simple lack of ethics and/ or morals

      therefore its difficult to employ these men because they have proven they have no problems trangressing against other people's rights. once you have proven that you are willing to do that, anyone in their right mind would hesitate to hire you for anything. for to let such a person into your organization is to basically invite

      • Re: (Score:1, Informative)

        by Anonymous Coward

        How is subversive speech stepping on anyone's rights? Hell I'm trying to secure them. How is an open bottle of liquor in my TRUNK that was given to me by a friend to take home stepping on anyone's rights? Get a clue. This shit can happen to YOU. Don't be so quick to judge someone you don't know. We all have demons and any one of us could be locked up for just about anything at any time these days whether it's legit or not. Just depends on their mood. Even if it doesn't stick you're ruined.

        Hell, in S

    • That's fine (Score:4, Insightful)

      by Sycraft-fu (314770) on Monday May 03, 2010 @02:04PM (#32074894)

      But there's a big difference between giving someone a second chance and giving them whatever job they want. These guys have already proven that they have some severe ethical problems. That can limit the roles in which a company is willing to let them work. As an example: Would you be ok with these guys working on the database that contains your credit card number, or bank account details? If not then perhaps you can understand why a company wouldn't want them in certain roles.

      So while I'm not saying "Screw them, they should have to beg for food for life," I think they need to accept that they aren't going to be able to be computer security professionals, at least not for some time. Perhaps they need to look at careers away from computers entirely. However if they are staying in the computer field, they are probably going to have to look at jobs that don't involve access to much, maybe helpdesk type positions. Kinds sucks but that's life.

      Trust isn't the kind of thing that you can just get back once you've destroyed it. It takes time to rebuild. They are going to need to spend time working honestly to show that indeed they have learned their lesson and can act in an ethical manner. They can't expect to get a job with access to potentially sensitive data straight off, even if their technical skills are top notch (and I question if that's the case).

    • by timholman (71886) on Monday May 03, 2010 @02:12PM (#32074962)

      ...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.

      "Potentially talented"? One of the most common memes I keep hearing is that malware writers are programming geniuses who need only a guiding hand to become productive members of society.

      I've met or worked with a lot of very sharp programmers over the years. All of them made a good salary from their skills. A few of them have made a significant amount of money. Any one of them would be capable of creating his own botnet without difficulty. Furthermore, many of them are sharp enough to pull off some impressive social engineering to gain access to systems, a la Kevin Mitnick.

      But none of them did that, because they had the ethics to understand that subverting millions of other peoples' computers for your own financial gain is wrong. Not just illegal, but wrong.

      If these botnet writers are so brilliant, where are the useful programs they have written? That's right, they don't exist. These guys are more likely marginally talented shmucks who have demonstrated an ability that hundreds of thousands of more talented programmers could easily replicate. All they lacked were the morals to do the right thing.

      If these guys are actually good programmers who want to be productive members of society, let them prove it writing and marketing useful software on their own, instead of malware. But let them on my systems, or deal with my customers? Not in a million years. I can hire honest programmers for that.

      • by tool462 (677306) on Monday May 03, 2010 @03:56PM (#32076220)

        The cynic in me wants to say that an honest person is someone who hasn't been caught lying yet.

      • by rainer_d (115765)

        ...Then a life of crime is all that awaits. It's easy to say you have high standards shutting potentially talented people out of your organization, but no one should be surprised if those people turn to illegitimate activities again.

        "Potentially talented"? One of the most common memes I keep hearing is that malware writers are programming geniuses who need only a guiding hand to become productive members of society.

        I've met or worked with a lot of very sharp programmers over the years. All of them made a good salary from their skills. A few of them have made a significant amount of money. Any one of them would be capable of creating his own botnet without difficulty. Furthermore, many of them are sharp enough to pull off some impressive social engineering to gain access to systems, a la Kevin Mitnick.

        But none of them did that, because they had the ethics to understand that subverting millions of other peoples' computers for your own financial gain is wrong. Not just illegal, but wrong.

        Maybe those were just smart enough to know that they will be caught eventually?
        The problem with these two guys is obviously that they had no plan B for when and after they were being caught.
        If you have no plan B, you are essentially gambling - with your own future in this case. That's not very smart.

        • Re: (Score:3, Insightful)

          by timholman (71886)

          Maybe those were just smart enough to know that they will be caught eventually?

          Frankly, I think you (and several others) are being overly cynical.

          I've worked with a lot of engineering professionals in my career. What I have found is that the overwhelming majority of engineers have a strong moral / ethical compass. Most of them try to do the right thing, and do a good job. And in general, the higher the level of engineering competence, the stronger the moral compass.

          Most engineers are not closet sociopath

    • ...Then a life of crime is all that awaits.

      I'm sure there's ditches that need digging in Spain. These guys can pick up a shovel and go earn an honest living.

  • by LockeOnLogic (723968) on Monday May 03, 2010 @02:02PM (#32074876)
    RTFA this isn't a situtation of some reformed skilled hacker seek a job. These are a bunch of script kiddies trying to weasle their way into a job by pretending to be like Kevin Mitnick. After being turned away several times (justifiably) they then decided to threaten to expose a security vunerability they claimed to have discovered in the companies software. They are black hats through and through.
    • Re: (Score:2, Funny)

      by SnarfQuest (469614)

      It would be like a jewlrey store hiring a known Kleptomaniac. If you cannot trust an employee, why hire them.

    • But right now they're just script-kiddies.

      If they HAD discovered an exploit ... why didn't they reveal that when they went for the job in the first place? Do you want employees who conceal vulnerabilities?

      If they have NOT discovered an exploit ... then they're just trying to use fear to get a paycheck. Not the kind of employees you'd want.

  • ... did they get the jobs?
  • The two men, known by the online nicknames "Netkairo" and "Ostiator," were arrested in February by Spanish police for their alleged role in running the "Mariposa" botnet, a malware distribution platform that spread malicious software to more than 12 million Internet addresses from 190 countries (mariposa is Spanish for "butterfly").

    I'm sorry, was the definition of mariposa relevant somehow?

  • OK, I only read the summary, and haven't followed the whole story that closely, but if these people were arrested in February, why are they not still in jail?

  • So, let me get this straight. You both were in charge of one of the most "successful" botnets in history, yet couldn't even manage to save (read launder) enough money from this "moneymaking machine" to last more than two fucking months of no "income"?!?

    Something tells me they should have at least thought about hiring a bean counter instead of pissing all their money away on strippers and blow.

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...