By Dan Goodin in San Francisco
5th March 2009
For the past four or five months, Mahalo.com has entrusted its site to a
security consultant who stole hundreds of thousands of bank passwords
with a massive botnet, which he sometimes administered from his former
For most of that time, serial entrepreneur and Mahalo CEO Jason
Calacanis was in the dark because no one at the company had bothered to
Google the employee. But even after learning that 27-year-old John
Kenneth Schiefer confessed to extensive botnet crimes just 16 months
ago, they are continuing to trust him with system root passwords and
other sensitive company information.
"After really a lot of careful deliberation and looking at exactly what
damage he could do here and how he was being supervised, we made a
compassionate decision to let him work up to the day that he goes to
prison," Calacanis told The Register. "We've made a point of supervising
him and I talk to him on a daily basis."
On Wednesday, a federal judge sentenced Schiefer to serve four years in
federal prison and pay $20,000 in restitution and a $2,500 fine. The
hacker, who went by the names Acid and Acidstorm, has been given 90 days
to surrender to prison officials.
Schiefer's employment with Mahalo exposes an interesting quandary over
the roles redemption and accountability ought to play when hiring
employees for sensitive IT positions. Schiefer admitted to pilfering
hundreds of thousands of online banking passwords, wielding a
250,000-strong botnet and even illegally accessing computers belonging
to customers of his former employer, Los Angeles-based 3G
Best Selling Security Books and More!