Where Do We Draw The Line?
IT companies were quick to try and lure Fujacks worm creator to their corporate side. One of them will eventually get him in 4 years (after Li Jun gets out of jail). The point is that such practices actually spell "start creating malware guys, and if you're good at it we'll pay you!"
October 1, 2007
The pyromaniac panda was Li's way to fame and fortune. He'll do his time and then move on to a nice house, a nice car and a big fat paycheck. Jushu Technology Co offered him a contract of $133,155 a year and everyone's bet is that this is not the only option Li has.
This is far from being an exception. IT companies have proven before that they are willing to hire hackers renowned for their computer skills. “It takes a thief to catch a thief or to prevent the theft altogether” corporate PR representatives might say and they wouldn't be very far from the truth. These guys know their way around security and might prove very efficient at plugging the holes in the (fire)wall.
Also, I wouldn't be amazed to see the PR take the soap-opera approach and tell the press a nice story about the bad man turned good and now buys fighting cyber crime. That is a good thing to help such people instead of pushing them aside and therefore forcing them to get back to their nasty habits.
It sounds fine and dandy, but it's only vaguely correct and definitely not fair for everyone else. As i said, such a policy will only encourage more people to seek their success by writing malware. Li's story won't be about some guy who made a mistake and saw the light and now earns an honest living.
The Fujacks worm was sold $12,500. I don't know how big are the wages in China, but I'm willing to bet that they're peanuts if compared to that sum. So, the story actually goes something like this: you do wrong, hurt a lot of people and get paid for it. And later on, you get paid handsomely on a regular basis. Yes, you spend some time in jail, but will this really matter to the numerous fame-seekers?
I think it's actually fair to push aside these kind of people. I'm not talking about some kid playing with software and still unable to foresee the consequences. I'm talking about professional virus writers. If their caught, they shouldn't be allowed to play with fire anymore. Don't hire them, do keep them under strict surveillance for some time after they're released from jail.
In the end, I have only one question for companies hiring virus writers: you're ok with such a person working in your IT department, right? Would you be ok if a convicted fraudster was in charge of your bank account?