Watt once had a lucrative Wall Street career coding software 
    for real-time stock-trading systems until he wrote a packet-
    sniffing program for a long-time friend and found himself  
    embroiled in a multi-million-dollar bank card heist that 
    netted him a two-year prison term.

I love how puff-pieces always trivialize the things that would run counter to their narrative. He didn't really do anything wrong - he was just helping his friend[0][1].

People do what they do, and that's cool - but let's not pretend he just accidentally found himself tripped up in some fraud situation, oops don't know how that happened hey look an awesome product in which trust is essential!

0. There's a slightly more complete look here, though not focused on Watt: http://www.rollingstone.com/culture/news/sex-drugs-and-the-b...

1. Wired did a similar sympathetic piece last year in which they made Watt's past seem like a minor misdeed (some wording is essentially identical to what I quoted above): http://www.wired.com/2013/04/stephen-watt-stalked-by-past/

In response to the Rolling Stone article:

    Patrick's job was to probe corporate networks for vulnerabilities to a malware attack known as a "sequel injection," which overwhelms the victim's system with meaningless commands until the system gives up and defaults to using the malicious code.

Sequel injection, huh? :P

That... wow. That's exactly what "Sequel injection" is, basically, you overwhelm the target with "v2.0", or the "sequel", if you will, and it just gives up and runs that code, thus "injecting" the "sequel".

Holy crap.

Yeah aside from that and a small number of other gems, it's a really good article. Read it a long time ago when it was first published, but definitely one I can re-read for the pure enjoyment factor.

Assuming they mean SQL injection... well, "sequel" is at least recognized as one of two mainstream pronunciations. My mom once pronounced that initialism as "squirrel".

According to Watt, he was convicted for fixing compiler flags for a general purpose tcpdump-esque sniffer program because the TJ Maxx fraudsters (Albert Gonzalez, et al.) were too incompetent to figure it out themselves. This is the sort of innocuous request you might get from someone on a forum "because you look like you know C."

http://infiltratecon.com/watt.html

In this case, it wasn't some person on a forum asking him just because he knew C.

True, but that's the sort of situation the rest of us might find ourselves in if we're not careful. I was alluding more to a sort of "lesson to be learned" from his story than the granular facts of it.

That Rolling Stone article was both an interesting read and good contrast to the OP re: Watt's character. Thanks for sharing.

Watt wasn't convicted for fraud, he was convicted for not snitching. I, for one, trust the man's integrity, and I'll judge his code when I see it.

    Stephen Watt pleaded guilty to writing the sniffer code that proved key to Albert's operation but continues to insist that he never knew it was being used for illegal purposes, noting that he made no money from Albert's crimes.

http://www.rollingstone.com/culture/news/sex-drugs-and-the-b...

Dark Mail is written by someone who was convicted of helping to steal credit card information?!

Who cares ? If the protocol is open and good, and we can build open source implementations, no one cares about the life of the creator.

The question is, can you trust someone who has broken trust in the past and in a major way?

How exactly did Stephen Watt break trust? He didn't steal any credit cards, he didn't profit from other people stealing credit cards, and he allegedly was not aware of the purpose for that sniffer program. He's an old-school black hat who broke into systems for the lulz, not for financial gain. (Ever heard of ~el8?). His mistake was believing his associates shared his priorities.

Not only that, but when he was being pressured and threatened by the government, he refused to cooperate. I think that's commendable and demonstrates real integrity.

Do you really believe he didn't know what it was being used for? He acknowledged it was using to sniff traffic, if not for credit-cards? What? Account details?

Unless there were logs or talks of them doing it for purely academic/educational purposes, which as we know Gonzalez isn't that "sort" of person, it would be unacceptable to think someone of Watt's intellect wouldn't be able to put 2-and-2 together.

He's been around the scene. He knows the scene. He's been a part of the scene.

I agree in terms of law, this all goes into a very grey and fuzzy area - if he had a better lawyer he may have came out in a different situation. Looking at the recent backlash for hackers, he may be looking at an apology (or even a payout) in the future.

The point of "open" is that you don't have to.

> The point of "open" is that you don't have to.

In theory, but realistically very little FOSS is audited, and audits are not perfect (and we have to trust the auditor). We have to trust the authors.

While it's true that softwares are rarely audited, protocols are much more analyzed because they are expected to be read by humans. Fortunately, the DarkMail authors want to create a new protocol and have it interoperable, so there should be an open protocol; that's the most important thing, and we must keep our focus on it.

If you decline to audit FOSS yourself, you can't complain about being forced to trust someone else.

Do you still use google products?

Absolutely! I wouldn't have it any other way.

It is the one and same if you had read the link you provided... The Dark Mail Alliance lists Ladar Levison as part of the team who is one of the people mentioned in the article. The same name thing may be a giveaway also...