• United States



by Robert McMillan, IDG News Service (San Francisco Bureau)

After Arrest, Founder of Bug-Selling Company to Stay

Apr 11, 20083 mins
Application SecurityCybercrimeVulnerabilities

The founder of a controversial company that sells unpatched computer vulnerabilities says he'll remain on board.

Five months after being arrested by Italian authorities on hacking and wiretapping charges, the founder of a controversial company that sells unpatched computer vulnerabilities says he’ll remain on board.

Roberto Preatoni was arrested in November for his role in an ongoing scandal at Italy’s largest telecommunications company, Telecom Italia, that has been front-page news in Italy for the past year. After remaining out of the public eye since his arrest, he suddenly reappeared Thursday, posting a note to his company’s blog and saying that he’d decided to continue to work for the company he founded.

“The questions I kept asking myself in the last months were: What will happen to [WabiSabiLabi] if I will stay?” he wrote.”Will my private life and troubles effect negatively the project? Should I keep representing publicly the project?”

After talking to fellow security researchers, he decided to stay.

“I will stay and continue to put pressure to security lobbies. Things must change, researchers and their discoveries should be considered beneficial to the whole security cycle,” he wrote.

Preatoni’s trouble reportedly started with his previous security consulting work as a penetration tester — a security expert hired to test working networks for vulnerabilities.

According to news reports, Preatoni helped staff a 10-member “Tiger Team,” ostensibly set up to test Telecom Italia’s information security system. Members of this team are now charged with hacking and spying on Carla Cico, CEO of Brasil Telecom; Kroll Inc., an investigative agency; and journalists Fausto Carioti and David Giacalone of the newspaper Libero.

In January 2007, four others were charged with spying in connection with the scandal. They included Fabio Ghioni, vice president and security chief technology officer at Telecom Italia, and Giuliano Tavaroli, the telecom’s former head of security.

At the time of those arrests, Tiger Team members were charged with using a Trojan Horse program to steal sensitive data from the computer of Vittorio Colao, former CEO of the Rizzoli Corriere della Sera publishing group.

Preatoni’s company has been the subject of controversy since it was launched in July 2007. The company sells information on unpatched software bugs using an eBay-style marketplace that is hosted on its Web site.

While the company argued that its vulnerability auction business simply helped researchers establish a fair market value for their work, others in the industry argued that it would put computer users at risk by selling bugs to people who might misuse them in attacks.

Security researchers say that an unpatched software vulnerability can earn them $50,000 in the underground marketplace.

Preatoni said he was working on a “surprise” partnership that would be announced soon. His next public appearance on behalf of WabiSabiLabi will be at the Web Security Summit next month in Johannesburg.

Preatoni had some harsh words for the press, which he said had failed to accurately report his case and had ignored his release from custody.

He was released from custody on Nov. 28. In an e-mail, he declined to comment further on the matter because the case is still open.

As Preatoni tells it, the case reads like the jacket notes from a John le Carre novel: “Probably, nobody will ever be able to picture it completely right,” he wrote, “as it’s a case involving a hundred of arrested people, the Italian Secret Services, the US Secret Services, some Italian corrupted police and financial police officers, some Italian and US investigation companies, a multi-billionaire struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition (kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide (but many say murder) of a Telecom Italia Security top manager.”