After arrest, Roberto Preatoni to stay at WabiSabiLabi

April 10, 2008 —

CORRECTION: Due to incorrect information from a source, the date Roberto Preatoni was released from custody was misstated. He was freed on Nov. 28, 2007. The story has been corrected below.

Five months after being arrested by Italian authorities on hacking and wiretapping
charges, the founder of a controversial company that sells unpatched computer
vulnerabilities says he'll remain on board.

Roberto Preatoni was arrested in November for his role in an ongoing scandal
at Italy's largest telecommunications company, Telecom Italia, that has been
front-page news in Italy for the past year. After remaining out of the public
eye since his arrest, he suddenly reappeared Thursday, posting
a note to his company's blog and saying that he'd decided to continue to
work for the company he founded.

"The questions I kept asking myself in the last months were: What will
happen to [WabiSabiLabi] if I will stay?" he wrote."Will my private
life and troubles effect negatively the project? Should I keep representing
publicly the project?"

After talking to fellow security researchers, he decided to stay.

"I will stay and continue to put pressure to security lobbies. Things
must change, researchers and their discoveries should be considered beneficial
to the whole security cycle," he wrote.

Preatoni's trouble reportedly started with his previous security consulting
work as a penetration tester -- a security expert hired to test working networks
for vulnerabilities.

According to news reports, Preatoni helped staff a 10-member "Tiger Team,"
ostensibly set up to test Telecom Italia's information security system. Members
of this team are now charged with hacking and spying on Carla Cico, CEO of Brasil
Telecom; Kroll Inc., an investigative agency; and journalists Fausto Carioti
and David Giacalone of the newspaper Libero.

In January 2007, four others were charged with spying in connection with the
scandal. They included Fabio Ghioni, vice president and security chief technology
officer at Telecom Italia, and Giuliano Tavaroli, the telecom's former head
of security.

At the time of those arrests, Tiger Team members were charged with using a
Trojan Horse program to steal sensitive data from the computer of Vittorio Colao,
former CEO of the Rizzoli Corriere della Sera publishing group.

Preatoni's company has been the subject of controversy since it was launched
in July 2007. The company sells information on unpatched software bugs using
an eBay-style marketplace that is hosted on its Web site.

While the company argued that its vulnerability auction business simply helped
researchers establish a fair market value for their work, others in the industry
argued that it would put computer users at risk by selling bugs to people who
might misuse them in attacks.

Security researchers say that an unpatched software vulnerability can earn
them $50,000 in the underground marketplace.

Preatoni said he was working on a "surprise" partnership that would
be announced soon. His next public
appearance on behalf of WabiSabiLabi will be at the Web Security Summit
next month in Johannesburg.

Preatoni had some harsh words for the press, which he said had failed to accurately
report his case and had ignored his release from custody.

He was released from custody on Nov. 28. In an e-mail, he declined to comment further on the matter because the case is still open.

As Preatoni tells it, the case reads like the jacket notes from a John le Carre
novel: "Probably, nobody will ever be able to picture it completely right,"
he wrote, "as it's a case involving a hundred of arrested people, the Italian
Secret Services, the US Secret Services, some Italian corrupted police and financial
police officers, some Italian and US investigation companies, a multi-billionaire
struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition
(kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide
(but many say murder) of a Telecom Italia Security top manager."

ITworld