Security Firm Hires Writer of Worm

Sept. 29, 2004
Here's one way for a company to get noticed in the crowded world of Internet security: Hire someone whose resume is topped off with a job title "virus author."

Here's one way for a company to get noticed in the crowded world of Internet security: Hire someone whose resume is topped off with a job title "virus author."

The 18-year-old German who admitted to writing the Sasser and Netsky worms, which each disabled hundreds of thousands of computers worldwide this year, started a job with a small German security company this month. The move has brought outcry from many computer security experts and raised questions about where to draw the line between the Internet underworld and those who defend against them.

Sven Jaschan of Germany began work as a programmer trainee this month at firewall company Securepoint in Lueneburg, Germany. Lutz Hausmann, the company's technical director, conceded that the teenager has little experience or technical expertise.

"He is only an apprentice and will get an excellent vocational training," Hausmann said in an e-mail. "I think everyone should get a second chance."

Jaschan has been charged with computer sabotage in Germany and faces three to five years in prison. He has admitted to being the author of the various variants of the Sasser and Netsky worms, among the fastest-spreading worms this year.

Hausmann called Jaschan an ordinary teenager "who wants -- after his sentence -- to live on in an ordinary life." He said the teen asked for a job and stood out in the application process, despite having just "a little bit of know-how in software development."

Many in cybersecurity say the hiring is little more than a publicity stunt.

"The Securepoint hiring at best is incredibly stupid or is a last-ditch marketing effort," said Ira Winkler, an expert on the hacker mindset and corporate espionage.

He said it's easier to write a virus than to design software to protect against it. "The fact that he knows how to write a virus is the pathetic part," Winkler said.

"A lot of legitimate people -- people without criminal intent -- do stay abreast of what the hacker community is up to," said Winkler, whose book "Spies Among Us" on the hacker mindset is due out next year. "They don't go out and commit crimes. They don't go and explore other people's systems because they just feel like it."

Major anti-virus software makers said hiring a known virus writer would be a risky move for any security company.

"We don't hire any of these people," said Joe Hartmann, director of North American anti-virus research for Japan-based Trend Micro. "We're not going to take that risk."

Hartmann, based in Cupertino, said researchers seeking jobs at Trend's main anti-virus lab in the Philippines go through six months of training that includes a psychological test and background check.

He added that anti-virus companies often share pieces of malicious computer code with rival companies as they scramble to come up with a fix to a virus outbreak, making it important to have trust and credibility across the industry. Many fear that a known virus writer on the inside of the process could exploit that access to so much of that code. Anti-virus companies also are sensitive to having any connection to virus writers -- the very people they sell products trying to stop.

Others don't see such a black-and-white world when it comes to hiring hackers.

"I don't think it's ethical to stigmatize someone for life for something he did as an adolescent," said Bruce Schneier, chief technology officer for Counter Internet Security in Mountain View.

He said he did not know the specifics of Securepoint's decision to hire Jaschan. But Schneier, an expert on Internet security, added, "I dislike the hard and fast rules. Never hire hackers? That's moronic. It's case by case. In every case, you hire someone you can trust."

He did, however, agree Securepoint's hiring was a good publicity move: "Who has heard of this company before?"