A Chinese virus writer says he hopes to put his past misdemeanours behind him, and find work in the computer security business, now he has been released from jail.
28-year-old Li Jun wrote the Fujacks worm (also known as Worm.Whboy) which made headlines in 2007 because it converted icons of infected programs into a picture of a panda burning joss-sticks as it stole usernames and passwords from online games players.
According to media reports from China, Li’s good behaviour meant he did not have to serve his full prison sentence of four years, and yesterday he arrived in Beijing to pursue his dream to find a job in the anti-virus business.
It remains to be seen if Li is successful in his job search or not – but I have to admit that it would leave an ugly taste in my mouth if a legitimate anti-virus company were to hire the author of a worm, especially when it hit so many computers.
The computer security industry has a hard enough time convincing the public that we’re not the ones writing the malware, without convicted cybercriminals being hired to work alongside us. The skills required to write a decent anti-virus program are very different from those necessary to write malware, and it’s a mistake to think that virus writers have demonstrated any skills that would be useful to a computer security lab.
Indeed, it can be argued that all a hacker like Li has shown is that he has ethically immature. He’s done his time in a Chinese jail and I wish him well for the future, but a malicious hacker like this needs to understand clearly that they have blown their chances of working in the computer security industry.
Of course, not everyone feels the same as me.
Even in the last year we’ve seen a number of cases (“Ikee worm author gets job at iPhone app firm”, “Firm hires Twitter worm author Mikeyy Mooney”, “Mahalo hires botnet master”) where worm authors have been hired by firms, seemingly based more upon their notoriety and PR appeal than because they showed themselves to be more skilled that computer programmers who chose not to write malware.
Does this send out the right message? I don’t think so. After all, do we really want malicious hackers to think that malware might be a shortcut to a new job?