There are things that I don't understand about this story.
I don't understand why Calacanis' choice was between firing his trusted CTO and retaining a convicted computer felon.
I don't understand how Mahalo could have checked any reference, let alone 3-5, and not found out that Schiefer is one of the most famous computer felons in California.
I don't understand why Calacanis is characterizing something that Schiefer did in 2005, in his mid-20's, as the actions of a "stupid kid".
I don't understand how Calacanis arrives at his estimation that Schiefer did only 0.0000001% of the damage he could have with his botnet. Schiefer stole random Paypal accounts and used them to buy things, and passed stolen Paypal accounts on to his acquaintances. What's the "worse" thing you can do with a botnet? At least the DDoS extortion botnets target gambling sites, and not your mom.
For that matter, I don't understand how Calacanis can equate what Schiefer did to the dumb things lots of teenagers do on computer networks (and, for that matter, on conference room floors). Schiefer wasn't a "hacker". He's a carder.
(As a side-note to Calacanis: sniffing people's passwords at conferences? Also illegal!)
Calacanis says Schiefer was supervised in his work at Mahalo. Is there someone who isn't supervised there? I don't understand how Mahalo believes they had the capability to supervise someone who can manage a 250,000-host botnet.
Unfortunately, I do understand why Calacanis thinks he doesn't handle sensitive information. He doesn't see the link between tens of thousands of email-password pairs and those people's bank accounts. Just a wild guess, but I'm thinking the guy who steals the Paypal accounts out of bot-infected Windows boxes can make that leap.
This is just such a weird post. I guess I can understand not seeing "contrition". But Calacanis seems proud that this happened. It's just head-explody weird.
Calacanis' reaction is an interesting one. As he states himself it was the risky, not socially acceptable, decision to make. His telling of the story makes it seem that he made the right decision. I would agree. A little grace, which by definition can only be shown to someone completely unworthy of it, is encouraging. I am fascinated by my own reaction when I read stories like this. Why is it that justice waived produces such a positive response in me? I think it is because my experience shows that I too need grace more often than not. Whether its something as small as being allowed to turn in an assignment late, or a boss who overlooks a broken rule that they had every right to enforce, I need a measure of grace on an almost daily basis. So to Mr. Calacanis: Thank you for reminding us that there is grace out there when we need it.
I'm sad to think that they would have cut him out of the process if they had known.
I sort of hate our culture which demonizes anyone who has ever been prosecuted by the justice system and quickly shuffles them into a corner of "people who we can't legally round up and gas but are just as worthless". It's really unhealthy to think that decent, worthwhile people can't ever make mistakes in judgement (and learn from them!) and to presume that the law is always morally correct. It's really a great disservice to the idea that we are trying to rehabilitate people.
Rehabilitate people? He was sentenced this week. The investigation started in 2005; he didn't even cop a plea until 2007. I'm all for rehabilitation, but if you can't make a judgement call not to put a convicted computer felon in a sysadmin role when he's still pending sentencing, when can you? The relativism here is just dizzying.
This particular case makes sense, it's the same as not hiring someone because they are definitely going to have to quit relatively soon, especially if they knowingly withheld that information. However, the article and its title strongly suggest that if he were an ex-convict, they would have cut him out of the process with no second thoughts. Of course all ex-cons are subhuman murderous animals!
That's what I'm really annoyed about, so maybe this situation really just doesn't fit, but I still felt it had to be said.
When do you know that somebody can be trusted again? Serious question - I am not sure about the best way to go about it.
A spontaneous feeling would be that maybe someone should earn the trust somehow, so I wouldn't necessarily simply put them in a position where they can do the same things they did before. (Like not employing child abusers in child care). Anyway, it is hard to tell without knowing more about the person in question.
I would consider this smart P.R. John Schiefer was sentenced yesterday (3/4/09), and the story seemed to break today.
John was actually convicted for identity theft, fraud, and stealing bank account info. So the charges were pretty serious. Infoworld makes it sound like he just used the bank account info to pay for domain registration and web server space. It seems from the report the biggest victim was a company he scammed 19k out of for installing software on people's computers. So while it looks like the damage could have been a lot worse, the charges are very serious.
But anyway, for whatever reason, Jason decided to keep John on as an employee. People deserve second chances, so I'm willing to believe that John might be a good guy who just really screwed up. So I could accept that Jason might have good reason for keeping John on.
Since the story just broke, the information is pretty basic, and right now the only link between Mahalo and John is from Jason's blog. But of course that would change. Soon journalists are going to be mentioning that John was employed at Mahalo. And now Jason has taken charge of that bit of the story. He has been relatively open and defended his decision. So I see the blog has a good attempt to minimize the negative P.R. from John Schiefer getting convicted.
Obviously I didn't write the post in order to get PR. This is NOT the kind of thing you want PR for.
We decided to submit letters to the judge in order to have John's sentence reduced from 60 years to something more reasonable. In order to do that we had to go on record, and those records came out yesterday at the sentencing which I attended.
The Register called today and I thought it would be best for me to explain our position in an honest and upfront way, rather than just having one quote posted here or there.
Yes, my CTO screwed up the hiring process by not doing a basic Google search.
Yes, the easy choice would have been to fire John.
However, after getting to know John I thought the best thing for John and society would be for John to work until he went to jail. He's a good person who did very stupid things.
My only goal at this point was to help reduce John's sentence and help him become a functioning member of society.
I'm not sure, but I think he might be saying: "Mahalo was getting the publicity one way or the other, so by posting this before the story broke, you got a chance to control it".
I might not have clearly articulated myself. I didn't mean to imply that you were using this situation to get more P.R. for Mahalo.
As I said before I think the charges against John are serious. I don't know what is fully going on and I don't know know John personally. So I really don't have enough knowledge to form an opinion of his character. So since you know John and say that he is a good person, I believe you. He obviously has technical skill and knowledge, so I see no reason that he can't become a productive member of society once he gets out of jail.
Although no news reports currently mention that John worked at Mahalo, that will probably change. As you mentioned, the Register called you today. And once people see that John worked at Mahalo, they are going to link Mahalo to a convicted cracker. Naturally that is going to raise some questions about your company.
Sure you could have not made a statement and refused to answer any questions. That is your right. I really don't see how using Mahalo could put my identity or computer at risk (My level of computer knowledge might be making me overconfident). So some of the questions people raise about Mahalo are probably going to be invasive and will not have much to do with a user's experience using the site. But the P.R. is bad, and if you hadn't made any statement, people will probably have assumed the worst about your company.
Also, I am sure that John needs any support he can get right now since I am sure that he is going to be attacked. So I'm sure John appreciated your public support of him.
So basically an open and honest explanation helps mitigate that bad P.R. Now if people are curious about why you hired John, they can get answers directly from you. And you posted the blog before news reports reports came out about you hiring him, so it really does not come across as defensive. I made that comment about your blog post being smart P.R. because that post and its timing is one of the best responses that I can think of to any questions about your company.
Ok, that was completely unjustified. How did he turn it into "linkbait"? He has stopped blogging except for the occasional post which he deems enough to re-post to his blog. It seemed like a very insightful entry showing compassion and understanding for others -- something your comment was not.
Oh, please. Jason Calacanis does not need my compassion.
It seemed clear to me that the title was deliberately worded to be provocative. This is a common characteristic of linkbait.
Given Calacanis' past history of search engine spamming, I'm far less forgiving with him than I would be with someone else. Forgive me for "misinterpreting" his intent.
The title is misleading. I had thought he was explaining how people should give felons--something I can relate to personally, though I'm not a felon--a second chance. But like the OP said, it really was a story about a hiring mistake bordering on fraud.
If it were a hiring mistake, wouldn't it have been letter to have let go of John? Is it really worth the risk just for linkbait?
Even extreme self-promotion doesn't go this far. People may be bad at calculating risks, but the risk of negative PR is one that we seldom underestimate.
Actually, people with a criminal past (or general oddities that are looked down upon by corporate americal) are often a good choice for a small startup trying to save money. My company often would be someone's 'opportunity' to prove themselves after a major setback in life.
They are motivated, willing to work for cheap, and appreciate the opportunity so much more than someone 'willing to take a paycut' to join your startup. And when times get tough they will be your most loyal employees.
In a startup where cash is tight and the outlook is 'hazy', an employees loyalty is priceless.
Not that I am against giving people a second chance (and hey, abused youth and all), but to explain it by saying we are all criminals anyway so it is no biggie doesn't really raise my level of trust.
Every year, more than 130,000 people are convicted on felony charges for basic drug possession, a crime that hurts nobody and which is by a commanding majority of surveyed public opinion regarded as a crime that should not actually be a crime. All of these people are going to fail the criminal background checks applied across a good swath of the Fortune 500.
I think Google is in the fortune 500. Anyway they seem to go out of their way to not treat basic drug possession as a black mark. I interviewed there, and on the application form they had a question like "Have you ever been convicted of a crime (do not include basic drug possession)?"
It's good to know Google is reasonable about this, but you should consider that the overwhelming majority of possession arrests/convictions are misdemeanors. But the ONDCP had a breakdown (from several years ago) of felony convictions for possession; over 130,000. Companies are probably less tolerant of felonies.
Everybody has to decide for themselves where they draw the line (and I would feel better about crimes that don't really hurt anybody). Personally I felt it was inappropriate to lump all those crimes together. And actually, maybe I went to the wrong university, but I don't witness people hacking into other people's accounts on a regular basis. The question is, when do you know that you can trust somebody, and they have really changed their ways?
Knowingly having a hacker in an organization is a very difficult predicament. Yes people should be given a second chance, but is it worth all the possible negative press. I would not have kept him on. I don't know the guys though.
I know 'innocent until proven guilty' and all that, but I'm still pretty surprised that a judge would allow someone who is about to go on trial for computer fraud and hacking find work at a computer company and use the internet.
It was probably due to a plea bargain. He pled guilty, and one of the conditions was likely that he was allowed to be able to work, using computers, until his sentence begins.
I wouldn't doubt that the conditions minimized or prevented his use of computers outside of work-related purposes.
In many cases they are banned from the stores where they shoplifted -- both by the company explicitly, and sometimes restraining orders are filed with the local municipality.
Not running a Google search on a job candidate is actually a reasonable thing to do. The fact that the name matches with a felon, or that people have posted nasty accusations, is no evidence of anything.
I don't understand why Calacanis' choice was between firing his trusted CTO and retaining a convicted computer felon.
I don't understand how Mahalo could have checked any reference, let alone 3-5, and not found out that Schiefer is one of the most famous computer felons in California.
I don't understand why Calacanis is characterizing something that Schiefer did in 2005, in his mid-20's, as the actions of a "stupid kid".
I don't understand how Calacanis arrives at his estimation that Schiefer did only 0.0000001% of the damage he could have with his botnet. Schiefer stole random Paypal accounts and used them to buy things, and passed stolen Paypal accounts on to his acquaintances. What's the "worse" thing you can do with a botnet? At least the DDoS extortion botnets target gambling sites, and not your mom.
For that matter, I don't understand how Calacanis can equate what Schiefer did to the dumb things lots of teenagers do on computer networks (and, for that matter, on conference room floors). Schiefer wasn't a "hacker". He's a carder.
(As a side-note to Calacanis: sniffing people's passwords at conferences? Also illegal!)
Calacanis says Schiefer was supervised in his work at Mahalo. Is there someone who isn't supervised there? I don't understand how Mahalo believes they had the capability to supervise someone who can manage a 250,000-host botnet.
Unfortunately, I do understand why Calacanis thinks he doesn't handle sensitive information. He doesn't see the link between tens of thousands of email-password pairs and those people's bank accounts. Just a wild guess, but I'm thinking the guy who steals the Paypal accounts out of bot-infected Windows boxes can make that leap.
This is just such a weird post. I guess I can understand not seeing "contrition". But Calacanis seems proud that this happened. It's just head-explody weird.