Hacker Key to Firm’s Future
By his own account, Marc Maiffret had been up to no good. In and out of several computer hacker groups, the high school dropout realized his life had to change one morning shortly after he turned 17 when he was awakened by an FBI agent holding a gun to his head.
Today, at 21, Maiffret consults on computer matters with the Federal Bureau of Investigation and other federal agencies and earns a six-figure salary at a privately held Aliso Viejo company he co-founded, EEye Digital Security Inc.
“I never thought I would have been where I am today. It’s such an amazing feeling,” Maiffret (pronounced MAY-fray) said. “It’s been like a crazy, crazy, crazy journey.”
Although many hackers have turned up as security consultants, few have helped put a new company on track for success. EEye has garnered accolades both for its knack for finding major flaws in popular software programs and for the cutting-edge products it develops to help halt hacker attacks.
And EEye is starting to flourish, with sales running at about $1 million a month and profit rolling in since midsummer, said Firas Bushnaq, the company’s co-chief executive. Industry experts say the company is well-positioned to take advantage of the rapid growth in what is expected to be a $6.6-billion industry this year.
Since its start in 1998, EEye has uncovered a dozen problems with Microsoft Corp. software--from the Windows XP operating system to programs for Web servers, which manage access and interaction for Internet sites.
Three weeks ago, the Redmond, Wash., behemoth came out with a patch to fix an EEye-discovered flaw in Web server software that could have given a hacker control of servers. And last fall, right after Microsoft released its XP operating system as its most secure ever, EEye found a gaping hole that could allow hackers to take control of individual personal computers.
“They do their homework,” said Steven B. Lipner, director of security assurance for Microsoft, which this year made security a top priority. “The reports [on flaws] they send us have been well-researched and are high-quality.”
Maiffret and his colleagues--20 engineers and 14 staff workers in Orange County and 16 salespeople in Europe, mostly in their 20s--even earned grudging praise from bigger competitor Internet Security Systems Inc. in Atlanta, which itself had to fix flaws EEye found in its products last month.
“They’re very skilled at what they do,” said Chris Rouland, director of Internet Security’s X-Force research group.
Security Initially Was a Sideline for Company
The hacking work has helped EEye develop tools that now are used by such major companies as Edison International, AT&T; Corp., Honeywell Inc., Wells Fargo & Co. and Microsoft, as well as by federal agencies, which EEye wouldn’t name.
Its Retina network scanner is widely regarded as one of the better tools at uncovering security vulnerabilities on a network. Its SecureIIS network firewall for Microsoft Web servers uses a new method of identifying attacks to block not only known viruses but also new ones that follow hacking patterns. Its Iris program analyzes network traffic for bugs as data comes in. A new product, Blink, due out this summer, is a firewall for individual workstations.
Bushnaq, 34, whose ECompany Inc. created EEye, credits Maiffret for helping redirect operations. ECompany started out in the 1990s as yet another electronic-commerce firm, offering several services to online businesses. Security was a sideline until one employee asked Bushnaq in early 1998 if his 17-year-old roommate could try hacking into the firm’s computers.
“The next day, Marc walks in with a listing of all my workstations and other information I thought was secure,” said Bushnaq, a native Jordanian who moved to the U.S. when he was 16 and earned a degree in computer engineering. “I said, ‘Would you like a job?’ and he said, ‘That’s why I did this.’”
After Maiffret joined ECompany, the sideline quickly took center stage, and the baby-faced kid with spiked hair--colored green this month--took the unique title of chief hacking officer. EEye has picked up two rounds of venture financing totaling $7 million and is looking for a partner to help it build the company. Bushnaq said EEye has just signed a distribution contract with Ingram Micro Inc., the world’s largest distributor of computer products.
For Maiffret, the job became a liberating experience after he’d been engulfed by cyberspace for three years, learning to write codes and hanging out with hacking groups.
“I was up to no good, but it was more for research,” he maintains. “I never destroyed anything.”
After getting his first computer at the end of ninth grade, Maiffret moved with his mother and his two sisters from Irvine to Trabuco Canyon in south Orange County, where he had no friends and all summer to devote to the computer. A tinkerer who had taken apart televisions and radios to see how they worked, Maiffret was quickly bored with computer games and began learning how to devise them and other programs.
By the time summer was over, he was starting to hack into computer networks, and by the middle of 10th grade, he dropped out. “I knew what I wanted to do in life, and I didn’t see where high school would help,” he said. But he couldn’t get a job in Internet security.
Instead, from his computer in the garage, Maiffret traveled the world, moving in and out of hacking groups under the name Chameleon, which he took from a ninth-grader’s remark about his computer skills. He even managed to get onto some government Web sites, a far less serious event than breaking into secure networks.
“It was the thrill of getting into systems. I didn’t open any files,” he said. “I knew I shouldn’t be doing it, but we weren’t malicious. For example, at a company that sold furs, we’d leave a message saying something about not killing animals.”
His adventures came to a halt when some hacker acquaintances broke into government computers and reportedly downloaded software that controls the positioning of satellites. A man named Ibrahim wanted to buy the software from Maiffret, who said he never saw or had the program, and left $1,000 in money orders at a commercial post office box. The teenager collected the money, using part of it to buy one of his sisters a Nintendo game.
Some security Web sites identified Ibrahim as a terrorist, but Maiffret said that when he asked the FBI about it, he was told that this wasn’t true and not to worry about it. “He disappeared after the raid,” Maiffret said, leading security experts to believe that Ibrahim was an FBI front.
The FBI, though, was monitoring Maiffret’s activities. One morning in spring 1998, while he was sleeping, nearly two dozen agents raided the home, pulling his mother screaming from the shower and putting a gun to Maiffret’s head and handcuffing him. After hours of questioning about satellite software, they left without arresting him but took his computer.
“That was my wake-up call,” Maiffret said.
A week after the raid, he said, he and his mother had dinner with the lead FBI investigator and never heard from him again until last summer--when the agency returned his outdated computer. As far as Maiffret was concerned then, he had nothing to hide. Bushnaq agreed, and kept the young hacker on staff.
For EEye, it proved to be a good move.
Maiffret has become a leading industry force in discovering areas of software that are vulnerable to attacks, but his first foray was nearly disastrous. In June 1999, he found a serious flaw in the Internet, a hole that could give an attacker control of a server.
Microsoft, whose software runs 27% of about 14 million active servers worldwide, didn’t act quickly to fix the problem and, after a few days, ignored EEye’s e-mail messages. A week after uncovering the flaw, EEye began issuing alerts on security Web sites, releasing enough information to show that the teen and the upstart company knew what they were talking about.
The information, however, also was detailed enough for a good hacker to figure out the flaw and exploit it. Microsoft then issued a patch to cover the hole, but both sides came under heavy criticism by the security community.
Blamed by Some for Paving Way to Code Red
With Maiffret only a year removed from the FBI raid, most of the flak was aimed at EEye for disclosing the information. Others contended that with so many servers open to attack, Microsoft dragged its feet in fixing the problem and that EEye acted properly.
Both firms now say they have developed a professional working relationship, but EEye continued to suffer in the security world.
“Releasing an exploit code, that is something you should not do. It’s like firemen who are arsonists,” said John Pescatore, a Gartner Group Inc. security analyst who worked at the National Security Agency. “I think EEye has moved beyond that, and I don’t think Marc Maiffret being there is a negative. Having someone like him driving the issue, finding the holes, is a good thing.”
Nevertheless, some critics blamed EEye’s release last year of information on how one hole worked for leading to the Code Red worm, a devastating bug that quickly ripped through more than 750,000 servers worldwide and cost more than $2.5 billion in repairs, according to industry estimates. EEye’s products, the company said, could have prevented it.
“They’ve been finding vulnerabilities left and right--and they have all the programs that could fix them,” said John Vranesevich, a Beaver, Pa., operator of Anti- Online.com, which tracks hackers. Pescatore, who lauds EEye’s technology and products, still notes that the company is “tainted with the brush of ambulance chasing.”
But Microsoft’s Lipner said EEye acted properly. Microsoft had a patch out a month before the bug hit, he said, and was “pretty aggressive” about getting customers to install it. Too many, though, failed to add the patch, he said.
With attacks growing and getting more sophisticated, Microsoft Chairman Bill Gates said in a January e-mail to employees that security now is the company’s “highest priority.” After Code Red and the Sept. 11 terrorist attacks, Lipner said, “we are seeing heavy traffic in customers pulling down patches from our Web site.”
