Security expert Marc Maiffret parlayed his teen hacking skills into getting paid to find holes in Microsoft software. Now, he says, Adobe and Apple can learn from Microsoft's past.
For Marc Maiffret, the turning point in his life came when—at the age of 17—he woke up to an FBI agent pointing a gun at his head.
A runaway and high school dropout, he had just returned home and landed his first professional job using his computer skills for the good of companies instead of for mischief. But his past was still catching up to his present.
Young, articulate, and outspoken, Maiffret went on to become a celebrity hacker wunderkind, testifying before Congress on security issues, featured in cover stories in numerous magazines and newspapers, appearing in MTV's "True Life: I'm a Hacker," and being named one of People Magazine's 30 People Under 30.
As a co-founder of eEye Digital Security, the street-savvy, brash teen quickly became a thorn in the side of software giant Microsoft, finding vulnerabilities in its products, including the hole that the Code Red worm used to wriggle its way onto thousands of servers in 2001.
Today, at 29, the boyish-looking Maiffret is still causing trouble—the good kind. He joined anti-malware firm FireEye in mid-December as chief security architect. In a recent interview with CNET, Maiffret talked about growing up fast and how he stays ahead of the game.
Q: What are you up to?
Maiffret: I'm chief security architect at FireEye and I focus on improving our product's ability to detect threats. I'm also managing FireEye's research team and I have various speaking engagements.
Where were you before FireEye?
Maiffret: I was with The DigiTrust Group, which is managed security services company targeting small to medium-sized businesses, taking over their Windows desktop security.
When did you start eEye?
Maiffret: I started it when I was 17—co-founded it with my friend Firas Bushnaq and did that for about 10 years or so.
At eEye you caused quite a stir over at Microsoft. Tell me about that.
Maiffret: Yeah. First and foremost, we were building a vulnerability assessment product that could scan your company network and tell you here's all the ways a hacker could break in and here's how to fix it. I was focused on Windows and Microsoft platforms in the beginning. I had been interested in vulnerability research since 1997and more serious stuff in 1998 and 1999. I started to discover some of the more critical remote Microsoft vulnerabilities where you could compromise any Microsoft Web server. That kicked off some of the first real intense looks at Microsoft from a security perspective.
How would you characterize the state of security at Microsoft products at the time?
Maiffret: At that time they didn't even have a dedicated security team. One guy acted as a liaison between marketing and engineering and they treated it very much as a marketing problem, not as a technical problem and not one they needed to focus on addressing. Their attitude was, "if we can keep evil research guys quiet no one will talk about it and we won't have to be distracted trying fix these things." We were not OK with that. We were outspoken, which was unique for a business with tens of millions of dollars in revenue.
Most businesses bite their tongue, because it's not beneficial to speak out against the largest software company in the world. But if you truly cared about improving the world's security you had to do things for the IT community and not just worry about selling products. We did that by holding Microsoft's feet to the fire and holding them accountable for what they were doing wrong.
It started to shift away from being a marketing nuisance and started mattering to them as a company when Bill Gates released his Trustworthy Computing memo [in January 2002]. He stated this was the No. 1 objective of the company, to have the software become secure to the point where people actually trust it. There was a lack of faith in Microsoft and security, especially after all the computer worms like Code Red and Slammer. Banks were talking to Microsoft about switching. Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say.
Are they the model that other companies are following?
Maiffret: From an internal process in how they go about auditing their code and securing software from a technical perspective, they do have one of the best models. The area they still have room for improvement is around time lines of how long it takes for them to fix things. We see time and time again when somebody responsibly reports a security problem to Microsoft it takes many, many months, if not upwards of a year, to get these things resolved. Should there be some new zero day critical emergency, we see they are able to get something out within a couple of weeks. You look at companies like Adobe and they are where Microsoft was 10 years ago.
[Apple has] really only begun in the last six months or so taking security seriously and understanding that it impacts their business in a serious way.
In what way exactly?
Maiffret: Adobe, and even Apple, is a good example. They are starting to get black eyes with people saying Adobe is a bigger worry than Microsoft is at the moment, which I agree with. As those things are happening, Adobe and Apple and other companies are starting to pay attention and care more. But a year ago, it was still very much a marketing thing. People from both companies treated it as a marketing problem. They didn't have good technical structures behind the scenes. Now they are staffing up and hiring industry notables like Window Snyder [ex-Microsoft security employee recently hired by Apple]. They've really only begun in the last six months or so taking security seriously and understanding that it impacts their business in a serious way.
And you think Apple is taking it seriously too now?
Maiffret: Oh yeah. It's even a little scarier with them because they try to market themselves as more secure than the PC, that you don't have to worry about viruses, etc. Anytime there's been a hacking contest, within a few hours someone's found a new Apple vulnerability. If they were taking it seriously, they wouldn't claim to be more secure than Microsoft because they are very much not. And the Apple community is pretty ignorant to the risks that are out there as it relates to Apple. The reason we don't see more attacks out there compared to Microsoft is because their market share isn't near what Microsoft's is.
Are they on par as far as code?
Maiffret: I think Microsoft does a better job with their code auditing than folks like Apple do. We've only seen a scratching of the surface as far as Apple vulnerabilities because nobody cares to find them. There's nothing inherent with Apple themselves and their development. The only reason Apple gets little increase in security is because they're running on top of a Unix-based operating system and they can take advantage of some of the things that have been done for them.
What are the big threats now?
Maiffret: The desktop apps are now the biggest targets. Adobe is a great example of that. People don't have patch processes in place for Adobe and other applications like they do for Microsoft software. The Web-based applications are also big targets—companies putting Web apps online and weird uses of Facebook. Facebook is becoming its own complex platform with all these different apps integrated.
Do users need to do something different with the attack vector shifting?
Maiffret: A few years ago, the types of attacks were e-mails that appeared to come from your bank. You could just log into your bank and see if there was a notice for customers. It was old-style phishing. It's easier to look for that and avoid those things. Nowadays, when attacks are increasingly being leveraged from legitimate Web sites, it's harder. For instance, where the CFO of a company was targeted because he was on CFO.com and some guys in Ukraine paid to have a flash-based advertisement taken out on financial sites. That's the scariest shift to me.
I don't even know of a way right now, with the various types of attacks, how to explain to my mom what not to click on and what not to do because just through the normal browsing attacks are going to be coming at her. It's so low-level and behind the scenes. You just happen to click on a news link and a flash link off to the side that you're not even interacting with compromises you. The potential of educating users is going away quickly. It means we have to be better as technology people and security companies at preventing these things.
What do you think about Google's news that it was attacked late last year?
Maiffret: It was awesome that they went public with it. Breaches happen all the time. The attacks like Google reported are very commonplace, but unless it's a significant enough breach to require some sort of disclosure, there's not any motivation for companies to talk about it. At the same time, the attacks were sophisticated in the sense that there were a large number of companies (more than 30) targeted in a short period of time and that the compromises were successful.
But the actual piece of malware and exploit used to break in was more simplistic than what we see in everyday cybercrime data thefts. I don't think the attackers were amateurs. I think they knew they didn't have to do any sort of James Bond crazy exploits and malware. Just by writing your own run-of-the-mill simple malware, as long as it's a brand new piece of malware, antivirus software completely misses it because there is no known signature.
What do you think about the allegations that the attacks came from China?
Maiffret: It's a very hard thing to answer. When you look at the types of systems and data accessed and where the few hops we know about were—from a computer in China to computer in Taiwan—you think if someone's trying to frame China, they did a good job with it. The problem is it would be easy to pin it on someone else. From my personal experience and things I've seen firsthand coming out of China, it makes perfect sense to me. But to have factual data we can point to that's a smoking gun, it becomes extremely hard.
It turned out that at least in some of the attacks an Internet Explorer hole was used. Could there have also been other exploits used, targeting the PDF format perhaps?
Maiffret: Yes. It's hard to think that given the number of companies targeted and given the fact that in the same time frame there was a zero-day (Adobe) PDF vulnerability out there and unpatched, it would make sense that there were other exploits being used.
The other thing no one has talked about, and which I've been wondering about, is when you use an IE exploit, you'll use it against a user and get access to their desktop computer. You have to specifically target someone in IT with the keys to the kingdom and access to all the internal servers. How did they go from an IE desktop exploit to getting to the internal systems? That either involves more hacking that we haven't been told about, or they just happened to get the right employee that had access to everything by default, which I find hard to believe.
It was the summer between eighth and ninth grade when I finally got a computer and Internet access. I think I literally slept only a few days that summer and learned everything I could.
The news has brought increased attention to espionage and cybersecurity. How much is legitimate and how much is hype?
Maiffret: There has always been espionage. If you look at all the data online, it's on computers and it makes sense that espionage would follow with it. It's easier to have people on computers trying to steal secrets from another country or company than it would be to physically try to get into the companies or meet people in a back alley hand-off of documents. Now you can be sitting on laptop anywhere in the world. Aspects of espionage and cyberwar can be hyped up, but at the end of the day I don't know if it's been hyped enough in the sense that I don't think people understand how big of a problem it actually is.
From a consumer perspective, a lot of people are concerned about online banking. Do you bank on the Internet?
Maiffret: Yes. I do everything online. And I do it on my phone too. I would feel more comfortable doing things on my phone than on my computer, for the most part. On a computer there is so much attack surface to be compromised. Yeah, the iPhone has vulnerabilities, but when you look at the sheer numbers, like the fact that I open up PDF documents all day for work, that's a lot scarier than the idea that I'm on my phone. I'm also a Windows Mobile guy and a lot of people think it sucks so it's like running a Mac desktop—nobody cares.
The thing I would never want to put online would be my Social Security number. That kind of identity theft can be a nightmare to clean up. Not even online, but at the gas station where card skimmers are becoming so commonplace. In those cases, it's better to use a credit card and not your ATM and PIN combination where they can take money out of your account directly. The threat with online banking is that scammers will set up a bill pay account to themselves or do customer-to-customer or some other type of wire transfer. People should set it up with their bank so that their bill payees are locked and they can disable or freeze wire transfers or require a phone call from the bank before such transactions are done.
How did you get into computer hacking and security? If you started your first company at the age of 17 you were probably pretty young when you got into it.
Maiffret: When I was in the seventh or eighth grade, I met a friend who was into phone freaking, manipulating the phone system, everything from making free calls to blue boxing [devices that simulate the phone operator's dialing console], and I got into that first because I didn't even have a computer. That led to learning about BBSes [bulletin board systems] where you would dial up with a modem and you would be connected to a newsgroup where you could trade different posts and files. That led to learning about hacking a bit. It was the summer between eighth and ninth grade when I finally got a computer and Internet access. I think I literally slept only a few days that summer and learned everything I could.
Where did you grow up?
Maiffret: Orange County, an hour south of Los Angeles in Southern California.
Did you have a mentor or someone at school who showed you the ropes?
Maiffret: Not really. After school, I would go to where mom worked at a doctor's office and the owner would let me play on his computer. I always wanted to take things apart, like my dad's stereo. I wanted to know how everything worked. The doctor saw I had a knack for it and when he eventually bought a new computer he gave me his old one to take home. The computer was three or four years behind what my friends had and they were playing the latest cool video games and I couldn't do that. So that drove me to find out what kind of other interesting things I could do. Hacking was a big part of that. When I was doing hacking it was an escape from my crazy home life. It was an escape where people weren't telling me what to do. You were in control versus just being on some kind of roller coaster as a teenager.
[Computer security is] one of the only industries in the world where you're pretty much set up for constant failure and a race that never ends. You never really have a victory because as soon as you do the bad guys have moved on to something else.
Were you the stereotypical antisocial geek?
Maiffret: I was an average kid up until ninth grade. Going into high school was where I got into hacking and I definitely became more antisocial because I was fixed on doing that. Then I ran away from home for about a year. I went to Florida and was living with some different hacker friends of mine. We were part of a hacker group.
Maiffret: Rhino9. L0pht, which was much better known, was focusing on Unix and we were trying be the equivalent with Windows and Microsoft.
Is that when you had your brush with the law?
Maiffret: Yeah. After I got back (home). After about a year, I felt like I didn't know where my life was going. I had no direction. I was living off friends and wasn't happy. Finally, I came back home and talked to my family and said I wanted to do computers and security. I didn't want to finish high school because I knew what I wanted to do. My mom was cool and said "I'll give you two months to find a job, but you have to support yourself, otherwise you're going back to school." A couple of weeks after that I got my first real job working for a Web development company, which is where I met the owner Firas, who I eventually started eEye with.
One day I had the pleasure of waking up with a gun to my head from the FBI. I had been raided and everything. I don't have any record and I wasn't charged with anything. They thought I was doing crazier stuff than I was. I'm not actually sure why. They took all my equipment. For the first couple of months after that I was waiting for them to come back, but nothing happened. I was 17 at the time and it was a wake-up call; that this hacking and screwing around wasn't going to help me make the life I want.
So I talked to my friend Firas and told him about my ideas for a security product. That's when we started eEye and created the first product, which was to automate what I was doing hacking computers—a program called Retina. It would show you how to scan computers and break in but also how to fix it. Within a few years we were doing tens of millions of dollars in revenue and had 60-plus employees. To this day, Retina is a mandated standard part of the Department of Defense. Military bases around the world are using it.
I was in DC recently, meeting with different agencies and they all know my background. That was the smartest thing I did, to never try to hide my past. I run into people now who say they remember me messing with this server or that when I was a teenager. A year after I was raided I had an interview on an LA radio station and afterward the lead FBI investigator on my case called me and said "Hey, I heard what you're doing. It sounds like you turned your life around." And he wanted to let me know that the case was totally closed and that they were sending me all my stuff back, which was a really interesting time capsule. Even though it was only a year or a year-and-a-half later, to get this hacking stuff back was interesting.
What do you do for fun?
Maiffret: My biggest hobby outside of computers would be music. I have guitars, bass guitars, keyboards, and recording equipment. I also like to write a lot.
Anything else to add?
Maiffret: One question I ask myself is what keeps me going? What makes it interesting? If you look at how much progress has been made in security, companies are still getting hacked as much, if not more than 10 years ago. I've seen people get burned out on it because it's one of the only industries in the world where you're pretty much set up for constant failure and a race that never ends. You never really have a victory because as soon as you do the bad guys have moved on to something else. In other aspects of life, it's easy to become complacent and clock in at 9 and out at 5. But for me security has some new challenge every day. The intellectual challenge is what drives me.
What drew me to FireEye is they're not trying to chase the threat. We don't care what the vulnerability or exploit is. We're going to catch the attacks and know it's an attack based on what happens to the computer. While the threats have been highly dynamic and changing, what people do once they have compromised your computer—backdooring it, stealing information—that hasn't changed. If you focus more on discovering that aspect of the life cycle of attacks then you really can jump ahead of the bad guys.