The digital age has brought new prosperity to the developed world, but it has also posed security challenges. A clever computer worm that takes advantage of defects in ubiquitous Microsoft software can make copies of itself, clog corporate networks and stymie worker productivity throughout a connected, global economy–and do it in a digital instant. In early 2002 Bill Gates sent a memo to his employees trumpeting the importance of “trustworthy computing,” and naming secure software as “the highest priority for all the work we are doing.”
eEye aims to hold Microsoft to that pledge, even though the two companies have no formal relationship and indeed often seem more like adversaries than collaborators. eEye’s business plan is to sell software to clients like Continental Airlines and Citigroup. The software scans their networks–which typically use Microsoft’s products–and finds security holes that could expose data to intruders. As part of their mission, Maiffret and his young team of ethical hackers spend their time looking for vulnerabilities in Windows software, then secretly alerting Microsoft so that Gates & Co. can devise a patch for the flaw. After that fix is offered, eEye publishes details about the vulnerability.
No money changes hands between eEye and Microsoft, and the relationship between the two firms is inherently tense. Maiffret and his crew basically keep calling Microsoft with the bad news that its products are insecure and giving it more work to do. Microsoft declines to comment about independent researchers like eEye.
In the past two years, eEye’s research has led to the discovery of some of the biggest holes in Windows, from the recent ASN vulnerability that would allow attackers to take over servers running Microsoft programs, to the Code Red worm that rampaged over the Net in 2001. Though such disclosures are embarrassing to Microsoft, security researchers say eEye has helped establish the importance of ethical hackers. “People have finally woken up to the fact that vulnerability researchers have a legitimate role to play,” says Chris Wysopal, vice president of one of eEye’s rivals, @Stake.
Maiffret’s journey from slacker-hacker to cofounder of a 120-employee firm was an unlikely one. Six years ago he was a dropout from high school in Orange County, Calif., spending nights teaching himself about computer security when a friend introduced him to Jordanian entrepreneur Firas Bushnaq, the CEO of eCompany, a software firm. Hoping for a job, Maiffret offered a free demonstration: he’d break into Bushnaq’s corporate network. Bushnaq agreed. Maiffret cracked the system in less than an hour and was hired. With funding from eCompany, they started eEye.
Bushnaq taught Maiffret about writing commercial software and running a business. Maiffret shared his insights into the computer underground. “He’s the type of hacker who does it for the love of technology,” Bushnaq says. When the dot-com collapse wiped out eCompany in 2000, Bushnaq became CEO of eEye. Today 25,000 companies run eEye software. The company is private and does not divulge financials, but gets plenty of headlines as it divulges one security hole after another.
Maiffret’s main beef with Microsoft is how long it takes the software giant to respond with patches. By waiting up to 200 days after eEye discloses a vulnerability, “they’re leaving people open to attack,” he says. While Microsoft won’t respond directly, it does cite the challenge of devising solutions that don’t create a new security hole in place of the old one. That’s a worthy goal eEye would like to see reached.
