Chinese Worm Creator Gets High-Paying Job Offer In Prison

martinsslaves writes "The recently imprisoned creator of China's worst computer virus ever (worm.whboy) has now been offered a job paying millions of yuan from his prison cell. He's actually been offered several, and one of the companies that has offered him the position of Technology Director was actually affected by his virus. The General Manager there now believes the virus writer may have just been 'led astray'. The media is reporting that author Li Jun originally wrote the virus due to frustrations over being jobless. 'So far, about 10 network companies across the country have offered jobs to Li, whom they regarded was a "precious genius," the report said citing Li's lawyer Wang Wanxiong. Li's cyber bug, which earned him about 145,000 yuan after selling it to other hackers from December 2006 to February this year, can prevent infected computers from operating anti-virus software and all programs using the "exe" suffix.'"

This used to happen in the US

In the 80's if you got caught hacking, you might get some jail time, and get your gear confiscated, but often you were also offered a job.

Re:

Not only in the US. There've been others who were found and offered the choice of jailtime or working for the company.

I wonder how many look back and wish they'd have taken jail...

Re:

Not just companies - the FBI. One of the first major pirate groups busted in the United States had members that worked for the feds in lieu of jail time or juvenile hall (the Super Pirates of Minneapolis [SPM]).

As a kid I went to church w

Re:

Another way to interpret this is that China is catching up to us. It is another sign of the victory of capitalism, even in the labor market -- his skills are in demand, so job offers from Chinese companies are coming in; it doesn't matter that he's in pri

Oh god... I predict "resume spam" soon

The more people like this get tremendous job offers, the worse I see things getting since they are ultimately being rewarded for their behavior.

To that end, instead of "stocks" in images and PDFs, I predict the next round will be resumes flying around!

Re:Oh god... I predict "resume spam" soon

Are you kidding? This is HOW security comes into being. If no one compromises security, exploits holes, and shows people the errors that exist they will never get patched. That is why black, white, and gray hats exist. Its like yin and yang. Devs write something, black hats find holes, and the white hats fix it. If they can do it all in house, everyone is better off. Whose the one really to blame, the company who writes the shoddy software with gaping holes in it, or the guy who walks in through those holes?

Re:

I dunno. Let's ask victims of lock-picking burglars?

Re:Oh god... I predict "resume spam" soon

Better yet let's be a little more specific. Let's ask victims of lock-picking burglars who were caught (the burglars) if that burglar should be offered a job making sure that other, uncaught, burglars can't pick the locks of that company any more?

I'd feel a lot safer if a burglar who was extremely good at lock picking was unable to pick the locks I was using. Same goes for security, if you have someone who is a professional hacker trying to penetrate your system you're going to find problems a lot faster than if you just have another White Hat, whose more concerned with patching holes than finding them, looking around.

Re:

I'll keep hammering on this, but this is why the recent anti-"hacking" law [slashdot.org] in Germany is one of the stupidest political ideas concerning IT ever to come to reality. It also shows a total neglect of the international state of the internet. By stopping "hack

Re:

I'd have no problem with them acting in an advisory role, saying "Yeah, it's a bad idea to let the back door there unlocked" or whatever. Same kind of thing.

Re:

It depends. If you go around picking random peoples locks you might get in a bit of trouble. If you go around picking random peoples locks and stealing their shit, expect to get in a lot of trouble.

Re:

Its a little more complicated than you make it out to be. "Black hats" should never be offered a job by a company that gives a damn about its reputation. You don't reward people for committing crimes. Secondly, you don't have to be a black hat to look f

Re:

I agree, I screwed up the nomenclature a little bit. Either way, someone who comes up with a creative hack should be rewarded for it. By exploiting the hole, he increased security. In the short term he cost people money. In the long run he most likely save

Re:

Right... So by that logic it makes sense to hire a rapist to protect your daughter from other rapists right? Hire a criminal to protect against the criminal. I think I would rather pay someone who isn't a rapist for that job.

Devs write something, blac

Re:

The skills required for rape aren't exactly in high demand..

Re:

The skills required for catching or preventing rapists is in high demand. The argument goes that you should hire people who can commit the crime to protect against it. Only a serial rapist would know the details of the how and why of target selection and

Re:

Yeah because it's really hard to work out who is more likely to be a potential victim for assault :/ Most people know that it will depend on your body language, and you would be better travelling with someone else, in well lit/'better' areas, etc.. you cou

Re:Oh god... I predict "resume spam" soon

The more people like this get tremendous job offers, the worse I see things getting since they are ultimately being rewarded for their behavior.

CEO's get rewarded for ruining companies, isn't it time the same courtesy is extended to the IT set?

Re:

Resume spam is already happening in the academic world. Any university researcher with a website offering positions will get a lot of job applications from people all over the world (probably mostly india/asia though) from totally irrelevant fields, either

Re:

Easy fix for this. Since what he did could easily be construed as 'corruption' or 'fraud', (or a least conspiracy to do so, or to aid and adbet others), they should just string him up! That's what they do to 'corrupt' (are they not all?) party officials

Accomplices

Three of Li's accomplices were also jailed for up to two-and-a-half-years each yesterday.

I wonder if they will get offers as well or do these companies want to stick to just the mastermind?

(Oh and I for one welcome our burning joss stick wielding, cute and cuddly Asian overlor^W, um, IT guys...)

Maybe not so new

From the blurb: Li's cyber bug, which earned him about 145,000 yuan after selling it to other hackers from December 2006 to February this year, can prevent infected computers from operating anti-virus software and all programs using the "exe" suffix.'

Navidad [symantec.com] did kind of the same thing but it seems to be a coding mistake more then the intended purpose of the virus.

Just for the record: I didn't read the article.

Re:

Moderation: +1 Informative.

Just for the record: I didn't read the article.

Now if you HAD read TFA, that would be informative. Default value for rtfa is 0, not 1, so stating you hadn't read TFA is redundant :)

Re:

One guy wrote a virus that tricked users to think the virus was update to their windoze boxes.. After users installed the virus it wrote annoying messages to them all the time.

He was hired later as a WGA expert-developer.

well yeah

the only real way to ensure security is to have it constantly challenged. that's a job. and this guy did a good job of doing that. thus, he earned the income

which means 2 things:

1. there is no security in an environment where the security doesn't get challenged and defeated every now and then. or get's challenged, and the fallout kept secret

2. go ahead and make virii and worms. just make damn sure the payload is harmless or simply annoying. if the worm this guy wrote did something really nasty, you can be sure he wouldn't be getting kudos and job offers

Re:

1. There would also be no need for security if people weren't trying to break the system, but I know what you're saying.

2. He sold the code to criminals who have no doubt used it for something 'really nasty'?

I like to play devil's advocate a bit, but

Re:

So. Where should I send the bill when I break into your house and take pictures of you sleeping? I mean there is work there testing your security (physical security), observing your sleep patterns (doctors get big bucks for this work), and I didn't take

He did this because he couldn't get a job?

Was the virus technically fantastic, or did he download a virus kit from the web and just modify it's name before releasing it?

He did this because he couldn't get a job? Maybe he should get a life instead.

Re:

Had he gotten life the job offer would be less appealing I imagine.

The familiar meme evolves

1. Lose job.
2. In despair, write a Windows worm.
3. PROFIT.
4. Get caught, go to jail.
5. ???
6. PROFIT.

Bad idea?

Am I the only one that thinks rewarding a virus writer in this manner is a really bad idea?

However, he later learned from media reports that Li, who created the virus over discontent at his failure to land a job, may not be a bad guy and "just went astray,

Re:

Sorry, but taking your discontent out on scores of innocent victims does not strike me as merely being led astray. At best, it shows a complete failure to consider the consequences of your actions. At worst, it shows that your personality is borderline soc

The Chinese will learn, too, eventually...

The "West" learned in the 80s. You do NOT want those people in your security department. Yes, they have the skill, but they don't have the ethics. And that's the big deal here.

You will not get a job offer here for writing a virus. No reputable IT sec company will touch you with a 10 foot fiber cable. Yes, you obviously have the skill, but you lack the morals not to use it for what you've done.

What is really lacking in today's IT world is lectures and courses about the topic. Do you see many universities teach you something about malware? How to exploit a system? How to look for security holes? Yes, very controversial topic, but it's necessary. I mean, where are you supposed to learn that? Self study takes a long, long time, time you don't have in today's IT sec world where what you learn today is dead weight in a month. And, well, self study is usually only done by people who have an interest in applying that knowledge, and rarely for good...

Re:

Yes, they have the skill, but they don't have the ethics. And that's the big deal here.

Yes, because every day we hear how ethical the big companies are here in the West. Our big companies would never abuse monopoly positions, would never swindle share hold

Re:

I've said it in the comment above, I say it again, if you're pissed at companies, go ahead and bring them to their knees. But there's no excuse for launching an all out attack against everyone who uses the net because you're angry with a company or two.

Re:

It doesn't matter what the ethics are of the company as a whole. If they can't trust you as an employee they won't hire you since all organizations (whether you think they are corrupt or not) depend on trust. If they are cheating, they want to be the one

Re:

Our big companies would never abuse monopoly positions, would never swindle share holders, would never abuse their staff, would never seek every way possible to avoid paying taxes, would never rip off their customers, would never fix prices, would never use scare tactics, would never spread lies and disinformation about competitors, would never spy on competitors or their own staff, would never collude with their own government to break the law, would never work with an oppressive regime just for profits...

Being able to trust your employees not to steal and sell hundreds of thousands of customer credit card numbers to the highest bidder has nothing to do with corporate morality or lack thereof.

Re:

Do you see many universities teach you something about malware?

Um... yes? Actually, where I go there's an entire CS Masters concentration dealing with the subject along with digital forensics topics...

Re:

It's not necessarily only a matter of your attitude towards the industry. If your malware only affected business targets, I could see that it's some kind of revenge to an industry that shipped your jobs to a country where the average coder asks you what he

Offered a job for your crime

It's like you robbed a bank, but you did it so well the bank wanted to hire you as security to protect them.

on hiring the insecure and the vengeful

The media is reporting that author Li Jun originally wrote the virus due to frustrations over being jobless.

You hire a guy with a record with of lashing out against the world when he meets with life's frustrations. What next? Do you offer him lifetime job security and rebuild your IT infrastructure every time he twitches?

Something to be concerned about

Considering the changes in the computer industry over the past 20 years, it should scare people that this sort of thing is going on right now. There have been an increasing number of hacking attempts from China, and there are also an increasing number o

Give him a job only after...

I believe in fairness. Everyone needs to work productively. So yes, give this guy a job.

    But only after he has spent MANY years in jail, and has reimbursed all the people who lost work and data directly resulting from the virus being on all the computers affected by this crime.

    So if this criminal has written and released a bit of secret code that wipes out data a hard drive, then he (always a he) should be required to compensate for the cost of collecting and entering this data. He must also be responsible for loss of income and profit in all the companies infected by his virus code.

    If he is still interested in coding after all the effort and expense that he must do to correct the bad effects of his deliberate action of writing and releasing a destructive virus, then he should be allowed to do so.

    But not until all the compensation has been made. It doesn't matter if this criminal is a coding genius, we can always get the same results from having more ordinary people working on the same coding problem as a lone genius.

    What I'm saying is that regardless of any individual's coding skills, if this individual causes millions of dollars of damage, he should not be allowed to work in this industry.

Chinese Worm Creator Gets High

Anyone else misread the title at first?

Re:Pfft

and all programs using the "exe" suffix.

so.... how did windows boot?

IIRC, the virus modified the registry entries which tell Windows how to handle .exe files. Booting up is fine. Once the system's up, every time explorer tries to launch an .exe, Windows wound up checking the registry for what it should do with the file. The registry modification removed the "magic" that told it that it's an executable.

I remember at work someone convincing me it was a good idea to copy the .exe registry class into another one, say, .myinitials, so if the .exe registry settings got clobbered I could always rename regedit.exe to regedit.myinitials and fix it.

Re:Pfft

Dammit. Screwed again.
- Eugene Xavier Edwards

Re:

China hasn't been communist in a damn long time. Now they are just a one party dictatorship. Think Soviets without the good intentions. The funny part about it is the communist party isn't even embarrassed about it.

Re:

China is now about as Socialist as the National Socialists, if you get the picture. More National than Socialist.

Basically, China is an oligarchical state that gives lip service to the theories of people who are pretty much discredited: Mao, Lenin, Marx.

Re:

1 Million Yuan is 130K in US dollars which is good but not great for the title they are offering him. Now I do agree that is a lot considering that china's cost of living is low, but still not all that amazing in US terms.

Re:

When you're working with Mr Wang Wanxiong, you pick up some good tricks!