The evolution of computer security is not merely some dark mirror, passively reflecting advances in technology. While technology provides new opportunities for threats, these become true dangers only when there is a motivation to exploit them and a means to do so.

Stefan Savage, writing in The New York Times, Dec. 5, 2011.

By his own admission, Stefan Savage’s interests are all over the map.

Savage is a professor of computer science at the University of California, San Diego, who works on computer and network security issues with researchers at the University of Washington, where he got his PhD, as well as UC Berkeley, the University of Illinois at Urbana-Champaign, and elsewhere.

Last year, a team led by Savage and UW’s Tadayoshi Kohno showed that a hacker with physical access to an automotive electronic control unit could alter software to stop the engine, disable the brakes, and carry out other nefarious tasks. In follow-up research published earlier this year, Savage and company said they had succeeded in performing similar tasks remotely—using the cellular phone in a car to insert malicious software that enabled them to override various vehicle controls. (Their findings can be found at the website of the Center for Automotive Embedded Systems Security, a UW-UCSD collaboration.)

Savage also has helped lead wide-ranging studies of Internet spam, outlining the global “ecosystem” that supports compromised accounts, spam mailers, credit cards, e-mail lists, and other tools of the trade. This work led to a comprehensive study of just how much revenue spam advertising can generate, even when most of the spam is blocked. In a recently published paper, the scientists from Berkeley and San Diego counted more than 100,000 orders a month in just one spam network. The group also offered a “rough but well-founded” estimate that revenue generated from spam-advertised pharmaceutical drugs amounts to tens of millions of dollars a year.

He recently fielded some questions from Xconomy:

Xconomy: You’ve been involved in so many different aspects of cyber-security. What do you see as the single biggest danger in … Next Page »

Comments | Reprints | Share:          

Eager to build on the momentum in New York’s burgeoning startup community, the hackNY program offers college students from across country a taste of the city’s tech scene. The program, started some 18 months ago, is led by co-founders Evan Korth, faculty liaison for technology entrepreneurship at NYU, and Chris Wiggins, associate professor in the department of applied physics and applied mathematics at Columbia University. In includes competitions that push participants to build new technology products in a single, as well as a summer program to get students’ feet wet working with local startups. Korth says hackNY’s mission is out to bring together the next generation of hackers.

HackNY held its most recent hackathon in October, and Korth hosted the Nov. 2 NY Tech Meetup where the winners and others demoed their ideas.

In a recent interview, Korth discussed hackNY’s goal of creating a network of young technologists—as well as veterans of the tech scene—who can mentor one another and potentially work with local startups.

Xconomy: How does hackNY introduce college students to the city’s tech community?

Evan Korth: We have a summer fellowship program, where for 10 weeks students from around the country live together in the NYU dorms. By day, they work at various startups around the city. And on some evenings we have a pedagogical series where they meet some great … Next Page »

Comments | Reprints | Share:          

Are hackers and lawyers really that different?

If you hear someone talking about the two in the same sentence, you’d be well within your rights to assume it was an expansion of the old debate about whether a pirate or a ninja would win in a fight.

On first impression, the hacker (a.k.a. the software developer, the programmer or any other name you have for someone who turns code into magic) and the lawyer (a.k.a. the attorney, the guy who charges $450 per hour, or the JD) seem like natural enemies. Well I’m here to prove to you that they’re actually not that different.

I’ve taken an interesting path to understand and appreciate both hackers and lawyers. After starting my career in finance, I decided to become a lawyer and found myself as a startup lawyer representing hundreds of early stage technology businesses. Then, one day, fortune struck and I was able to join my first software company in the enterprise software space before co-founding Zaarly. During the past year, I’ve been able to work side by side with dozens of amazing hackers and witness the magic that they create.

Four Things That Lawyers and Hackers Have in Common:

Rules
When people think of hackers, they think of a culture based around spurning rules and conventions. When people think of lawyers, they usually imagine someone doing everything they can to ensure that rules and conventions stay firmly in place. This means that I’ve seen more than a few people raise their eyebrows when they learn that I’m a lawyer who made the jump into the world of the computer hacker.

Code
The hacker’s law is more internalized, while that of the lawyer is written down in extensive detail within huge tomes. But to both parties, staying true to their ethos is the most important thing. A lawyer arguing against the law won’t win the case, and a hacker making compromises in the implementation of their code will both see the results crumbling about them if they betray the nature of their role.

Language
Law can be a strange thing to the average person. It’s English, but it isn’t. The words are in English, the syntax is readable most of the time, but the way the language is used can be quite different from how it’s used in everyday speech. You’ll find the same thing with hackers. Partially in how they speak, because slang tends to come into vogue and out of it among them with lightning-fast speeds. However, it’s more in the sense of how hackers create their work. Most programming languages make use of English words and letters.

Depending on the programming language, a layman might well be able to make a guess about what any line of code does from examining the words used. However, like the lawyer, the programmer is using standard words in a very formalized way to create meaning that will often be totally incomprehensible to most people.

Not only do both the lawyer and the hacker use their own unique variants on language, they have to explain it to people on the fly. The lawyer needs to translate pages of law into words their client understands. Likewise, the hacker needs to be able to take the code they write, the images in a data flow diagram, and translate the meaning of any given piece to people at a moment’s notice.

Community
Perhaps the most important shared aspect between the hacker and the lawyer; in the end, they both depend to a huge extent on sharing and cooperation. Despite the fact that both are often seen as lone wolves, each role is among the most community oriented that one could imagine.

The lawyer is part of a large process of law, with each person adding to it, building on it, and implementing or testing various parts to make it all stronger. Together, lawyers work to create a social construct which connects us all together. The hacker does a very similar thing in their own specialty.

Similarly, the entire computer industry exists as it does precisely because of hackers sharing their discoveries and ideas with each other and building on it to create a larger whole. In the end, I’d say that’s the biggest similarity between the two roles.

When I was a lawyer, I specialized in helping hackers build innovative startups and provided full legal guidance as they grew. Now, as a part of that endeavor on the hacker side here at Zaarly, I find myself humbled by how this new community works together to create original platforms for the future of the industry.

So, who would win in a fight between a lawyer and a hacker? We’ll call it a draw.

Cross-posted from the Zaarly blog.

Comments (6) | Reprints | Share:          

Curtis Staker and Roman Yudkin have been busy in the 16 months since they officially launched Confident Technologies of Solana Beach, CA—using salvaged computer security software originally developed by Portland, OR-based Vidoop. As I explained last year, the suburban San Diego company has developed an alternative to the security protocol that requires an online user to provide a username and password to log onto an Internet account. Confident instead uses an image-based verification system, so a registered user selects an easy-to-remember combination of images, such as car, airplane, and fruit.

After raising $1.8 million last year to acquire Vidoop’s assets, CEO Staker says the company raised an additional $2 million in February to help build out the business. Last month, Confident said it was extending its “multi-factor,” image-based verification system to smartphones and other mobile devices.

Today the company is unveiling “Confident KillSwitch,” an add-on image-based authentication technology that is intended to defend user accounts and websites from automated, “brute force” log-in attempts and broadly based, denial-of-service attacks.

Confident says more than half of the major data breaches in 2010 were due to malicious hackers using brute force software (which uses a dictionary database to repeatedly try different passwords) and by exploiting easily guessable passwords, according to a 2011 Data Breach Investigations report. The company also says more than 84 percent of 150 popular websites, including Amazon, eBay, and WordPress, set no limit on the number of failed login attempts.

Confident’s CEO says the reason many companies don’t limit login attempts is that many people can’t readily remember their own user names and passwords. So they keep trying until they get it right—and the companies operating such websites are reluctant to … Next Page »

Comments | Reprints | Share:          

[Updated 2:10 pm with more details throughout] It’s not just for bootleggers anymore. Today, Microsoft (NASDAQ: MSFT) is making good on its promises to officially open up the Xbox 360′s Kinect motion sensor, offering a software development kit download for non-commercial uses. That means it’s aimed at “enthusiasts and academics,” some of whom the company said it invited over to its Redmond, WA campus for an all-day hackathon yesterday to start road-testing the kit.

While today’s beta version of the kit for Windows 7 isn’t aimed at commercial developers, Microsoft has already said it’s heading that way eventually, with Microsoft Research distinguished scientist Anoop Gupta telling CNet earlier this year that he thinks it could be “a meaningful business” in both software and hardware.

One of the chief areas that seems primed for Kinect’s technology is a combination with Microsoft’s recent $8.5 billion acquisition of Skype, the online video-conferencing service. Gupta told me in a follow-up interview today that video-conferencing—something Microsoft calls “telepresence”—is one of the big areas he personally sees as a holding rich potential for Kinect development.

For non-gamers who may have missed all the hubbub, Kinect is a bar-shaped sensor that uses cameras, microphones, and sophisticated software to detect live movements by people playing Xbox games. It is sensitive and sharp enough to distinguish depth, sense separate people standing in the same area, notice faces and pick up on hand movements.

Interest in the device quickly spread beyond video games, inspiring all kinds of futuristic-semming motion-controlled hacks right after it hit the market in late 2010—one of the most noted early adaptations was the effort by some University of Washington engineering students to use the Kinect for research into how surgeons can better control robots to perform delicate surgeries.

Microsoft was caught off-guard by the immediate enthusiasm for Kinect hacks, at first poormouthing the phenomenon and then clarifying that it intended to open up the technology all along. I guess this week’s hackathon leaves little doubt about the company’s seriousness for developing an ecosystem around the product, but it remains to be seen how soon Microsoft will go after the commercial side.

Gupta declined to give a timeline for a commercial release, saying in Microsoft’s in-house video conference that “Although our intent is to release a commercial SDK, we’re not making any announcements about it now.”

There’s not really anything stopping someone from doing some homework ahead of time, of course, and those academics have been known to turn their research into businesses from time to time. But Gupta also reminded business-minded hackers that the programming interface could change when CNet caught up with him in April.

“For a while, it was [that] you were waiting for the SDK,” Gupta said to developers in Microsoft’s announcement. “Now, it is I am waiting to see what are the exciting things the community is … Next Page »

Comments | Reprints | Share:          

A few weeks ago, I asked tech entrepreneur Dug Song, co-founder of Arbor Networks, what Michigan needs in order to build its own Silicon Valley. He did not hesitate.

“Hackers,” Song replied.

No, not the kind that breaks into the Pentagon or Federal Reserve and initiates Doomsday. Rather, tech geeks who fiddle with stuff in their spare time to create innovations that may or may not have a commercial purpose or any purpose for that matter. They do it for fun and curiosity, not money.

Sadly, Song says, such mentality doesn’t come easy to pragmatic Michiganders, who value stability over spontaneous creativity.

So it was a pleasant surprise to learn a group of Detroit-based hackers recently made the finals of a national competition for…uh, hackers. I3Detroit, a self-described “collaborative environment for people to explore the balance between technology, art and culture,” will join nine other hacker teams around the country in New York this summer for the Red Bull Creation Contest.

To qualify for the finals, Red Bull required interested teams “to hack the past, create a future,” or create a futuristic version of a historical piece of technology. True to the hacker creed, i3Detroit’s idea came rather randomly.

“We were just sitting around i3Detroit the night the contest details were announced, pondering what to do,” Eric Merrill told Popular Mechanics magazine, “when one of the i3Detroit members just blurted out ‘How about a time-traveling radio? and everybody looked at each other and said ‘That’s really good!’”

The result was the ChronoTune, a vintage-looking radio that offers listeners audio from different eras. The team modified a Philco 70/90 so that users can turn the dial to a certain year, say, 1863, and hear Lincoln’s Gettysburg Address. Or push the dial to 1941 and listen to Roosevelt’s declaration of war against Germany and Japan in World War II. Or simply enjoy the latest Lady Gaga tune.

(Can you imagine Doc Brown’s ride tricked out with one of these bad boys? Sweeeeet.)

The audio comes from swappable MP3 files stored in a SDHC card located in the back of the radio. Instead of a tuner locating a frequency like in traditional radios, i3Detroit’s tuner is motion controlled. When a user turns the nob, the ChronoTune senses movement and identifies the MP3 file closest to the pointer’s location.

Another cool entry comes from 1.21 Gigawatts (another Back to the Future reference!) from Minneapolis. The team created a high tech riff on the message in the bottle theme. As it floats in the ocean, the bottle can receive text messages from the world and relay said messages, along with the bottle’s GPS coordinates when it received them, to a website.

The 10 finalists will travel to New York in July where they have 72 hours to complete an unknown task. Winner gets $10,000 in cash and $10,000 worth of tools.

Does a time traveling radio or GPS-equipped message bottle have much technological or commercial value? Probably not.

But encouraging this kind of creative thinking among our best and brightest could one day produce an innovation that changes the world.

Personally, I’m still holding out for the flux capacitor.

Comments | Reprints | Share:          

[Updated 5/2/11 5:35 pm. See below.] A hacker attack that eviscerated the San Diego data center for the Sony PlayStation Network last month apparently led Sony to also shut down its Station.com online gaming website today. The episode involving the PlayStation Network prompted Sony executives to bow in apology in Tokyo yesterday, according to The Associated Press.

Today, a notice on the websites for both Sony Online Entertainment and Station.com says: “We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today (Monday). We apologize for any inconvenience and greatly appreciate your patience.”

[Updates with late statement from Sony] A press release from Sony headquarters in Tokyo later clarified that personal information from approximately 24.6 million Sony Online Entertainment accounts “may have been stolen,” as well as certain information from an outdated 2007 database. Sony says today that the compromised information from the 24.6 million accounts consisted of customers’ names, addresses, e-mail addresses, birthdates, gender, phone number, login names and password.

The security breach also affected another 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain—compromising more sensitive personal information, including each customer’s bank account number, customer name, account name, and customer address.

In its statement today, Sony says: “the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.”

According to a wire service report from Japan, the network that supports Sony’s PlayStation video game machines and the company’s Qriocity movie and music services has been shut down since April 20.

The chief of Sony’s PlayStation video game unit was among three executives who bowed for several seconds at the company’s Tokyo headquarters yesterday.

The network, which serves both the PlayStation video game machines and Sony’s Qriocity movie and music services, has been shut down since April 20. It is a system that links gamers worldwide in live play, and also allows users to upgrade and download games and other content.

Comments (2) | Reprints | Share:          

“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.” 1963 quote from Supreme Court Chief Justice Earl Warren.

I moderated a panel last week for Xconomy that was focused on consumer-oriented healthcare information technology. The panel included 2 hospital chief information officers (one current, one former) and two healthcare IT company executives. The panel itself was preceded by a presentation from Dr. Kevin Patrick, a preventive medicine specialist at UC San Diego and director of the Center for Wireless and Population Health Systems at the California Institute for Telecommunications and Information Technology. Dr. Patrick talked about many things, but among them was a program he is leading that relies on Facebook to support individuals’ weight loss goals. By engaging ones friends and friends-of-friends, goes the theory, one can more effectively stay on track with a weight loss program and work to prevent the scourge of Type II diabetes, among other problems. Dr. Patrick hypothesized that this approach could work with other health-related areas beyond weight management.

In fact, there are already companies trying to cash in on this approach, including PatientsLikeMe, the Cambridge, MA-based company that supports different online communities of patients who share the same life-changing diagnoses. Such specialized communities of electronic show-and-tell may become increasingly prevalent as the era of personal genomics makes it easier and less expensive to diagnose every person’s inherent disposition to disease.

It’s an interesting time for consumers who are theoretically trying to (or being forced to) become more engaged in their own health and to take a greater role in managing their own healthcare. One of the issues oft discussed in this context is privacy and its companion, data security. There is a generally accepted view that patients worry a great deal about the privacy of their healthcare information and much effort is made to protect healthcare data security as a result. Or is it?

One of the questions I asked my panel to respond to was this: does anyone really care about privacy and security when it comes to healthcare or is that just one of those things people are supposed to say? The response from everyone on the panel was the appropriately emphatic “yes, it’s important”, but I am not sure I’m convinced. If Dr. Patrick’s patients are going to use Facebook to share healthcare information with each other, can they really care about privacy and data security? Let’s be real; Facebook is about as secure as Tiger Woods’ hotel room: pretty much anyone can get in.

Some people feel very comfortable freely discussing their … Next Page »

Comments | Reprints | Share:          

We have a lot of events here in Seattle that are so quintessentially representative of Northwest culture—Bumbershoot, Folklife, Bite of Seattle, SeaFair. And then there are all of the gaming conferences—like Casual Connect, and the Penny Arcade Expo—and way too many tech-themed meetups to count. Each and every event, no matter how different, is blogged, Tweeted, and talked about. I think it’s safe to say we’re a pretty diverse—and technologically inclined—bunch.

But I’d never heard anyone be so absolutely upfront about the nerdy nature of Seattle’s tech culture—that is until word got out of the first annual Seattle Geek Week.

The inaugural Geek Week—ten (not seven) days of tech-oriented “geeky” events, kicking off today—is the brain child of Seattle-area entrepreneur, technology consultant, author, blogger, podcaster, enthusiast, and self proclaimed geek, Chris Pirillo.

Pirillo, who founded content publishing network Lockergnome in the early ’90s and has been the man behind the Gnomedex tech conference for the last ten years, says Geek Week is an opportunity for Seattleites to wear their “geek” badges with pride. He says he’d witnessed other cities “rally around their own communities,” so why not do the same for techies, nerd, and “geeks” right here in Seattle?

“Geek Week is there to get people amped up and to raise general awareness for what I believe is a geekiness inside of Seattle,” Pirillo says. “I see all these art festivals, and that’s great because you see art geeks there. I see these food festivals, and that’s great because you see food geeks there. This is for technology geeks.”

At Geek Week, Seattle techies will have a chance to come out of the woodwork and commiserate on all things geeky on the Seattle tech scene. The next ten days will be filled with panels, conferences, meet-ups, and parties on a variety of techie topics—from software and hardware to entrepreneurship, cleantech, social media, startups, and demos. Seattle tech organizations sponsoring events during Geek Week include BarCamp, Social Media Club, TechKaraoke, Innovate100, TechCafe, and more. Some events are free, while others require registration. Check out the full lineup here.

They’ll be a little something for everyone, according to Pirillo.

“People like getting out, they like getting together with friends, they like meeting new people,” he says. “My hope with this is to get out to communities around town small and large, and cross pollinate—I hope to have the Medici effect.”

I asked Chris what he thinks are the events to watch for out of the 10-day lineup, and he listed off a handful of what he thinks will be the popular picks, including the two major conferences … Next Page »

Comments (3) | Reprints | Share:          

Crisis Commons, a non-governmental organization formed last year to apply information technology to disaster management and humanitarian relief efforts, will mount a “CrisisCamp” session for Boston-area developers this Saturday in Cambridge. It’s the second weekend in a row the group has organized such sessions; similar camps took place last weekend in Los Angeles, Washington D.C., and other cities.

“The goal is to bring together a large group of volunteers from the technical community—at varying levels of technical proficiency—to collaborate on technology projects that aim to assist in Haiti’s relief efforts by providing data, information, maps, and technical assistance to NGOs, relief agencies, and the public,” says Liz Campbell, vice president at Cambridge-based Fama PR, which is assisting Crisis Commons with publicity around the event. Previous CrisisCamp sessions have produced digital maps of Haiti to help relief groups coordinate rescue operations and a Creole-to-English dictionary for the iPhone and other smartphones.

Travel reservation software company ITA Software is hosting the session, which will run from 9:00 a.m. to 4:00 p.m. this Saturday, January 23. At press time, there was still room for at least 60 participants. For detailed information about the event, see this CrisisCommons wiki page, and to sign up to participate, go to this Eventbrite registration page. For more background on the CrisisCamp phenomenon, see this informative article at CNN Tech.

Comments | Reprints | Share:          

Tadayoshi Kohno spends his career looking at life through the eyes of a criminal, and he’s teaching University of Washington students to do the same. The UW computer science and engineering assistant professor studies computer security and privacy, which to Kohno means anticipating the bad guy’s moves before he does. I chatted with him recently to find out more about the “security mindset,” how you teach it, and what this mysterious bad guy could do using ingenious technology hacks.

“We’re seeing computers in all aspects of our lives, in medical devices, exercise equipment, cars, airplanes, utility systems, power lines, everywhere,” Kohno said. “One of my main concerns is that while we’ve thought a lot about security for our desktop computers, computing is much broader than that, and we need to address security for all of it.”

Kohno’s interest in security goes back to his teenage years, when as a 10th grader he won the Colorado History Day competition with an essay about the history of cryptography. During his doctoral work, Kohno revealed security flaws in the software of electronic voting machines. The machines, which were rising in popularity following the 2000 presidential election, could easily be hacked to manipulate votes or reveal people’s voting choices, Kohno said.

Since then, he and his graduate students at the UW have pointed out security holes in technologies such as implantable cardiac defibrillators, pacemakers, radio frequency identification tags (which are used, among other places, on many credit cards and Washington state’s new enhanced driver licenses), and the Nike + iPod sport kit (the workout tracker that fits inside running shoes). His group has also recently developed software that causes messages or data to self-destruct after a set period of time. The program, Vanish, is one step towards a security answer to the problem of putting all your information into the “cloud” of sites such as Facebook or Google, Kohno said, where it might be backed up and never fully deleted.

I found his group’s revelations about implantable medical devices especially chilling. Right now, devices such as cardiac defibrillators signal wirelessly only over short distances, to allow doctors to adjust them without surgery. But in the future, Kohno said, he can see technology advancing to the point where those wireless signals have a longer range, and that’s where the real danger to the patient comes in. Beyond just gleaning a patient’s medical and other personal information, a defibrillator hacker could send signals to shut off the device or send electric shocks to the patient’s heart. In 2008, Kohno’s group managed to perform these potentially fatal hacks on a real defibrillator (not in a person).

“This is a wake-up call for the industry and the FDA that these are serious issues, or could become serious in the future,” Kohno said. “I believe that providing the first concrete evidence is the first step toward having a broader impact.”

To figure out which piece of technology he’s going to hack into next, Kohno asks what the next big thing in technology is going to be over the next five to 10 years, that people might not have examined for security gaps. Then he tries to think of every damaging thing a devious person could do with that technology, if they hacked into it. “I think I have always liked to play the game of looking for holes in the system,” Kohno said, when I asked him how he first got interested in security.

Kohno, who is kicking off the Technology’s Alliance’s Science and Technology Discovery Series with a lecture this morning, also teaches undergraduate and graduate classes on computer security at UW, and is planning a security lecture or event for middle school and high school students sometime in the next year. Even though most of his students won’t go on to become security professionals, Kohno sees his courses on the “security mindset,” or how to think one step ahead of the hackers, as valuable for the computer industry, so that those working on new technologies will know when to call in the experts. “I want students have the habit of saying ‘what if’ when they see a new system,” he said. “The gritty details are much less important than having the mentality of asking, ‘What if something bad happens?’”

Comments (1) | Reprints | Share:          

In financial results issued late yesterday, San Diego defense contractor SAIC attributed its increased second-quarter revenue and earnings to “recent wins in defense logistics, information technology, and cyber-security,” among other things.

That last part about cyber security may be an understatement, based on a conversation I had last night with Alan Paller.

As a founder and director of research at the SANS (SysAdmin, Audit, Network, Security) Institute, a cooperative computer security organization in the Washington, D.C. area, Paller has a front-row view of the relentless electronic attacks besieging the nation’s computer infrastructure. He gains much of his insights through his work with SANS, which conducts research and training for system administrators, and oversees the Internet Storm Center, a volunteer Internet security monitoring organization. In the 20 years since the institute was founded, Paller also has developed an extensive network of professional connections in network security both in and out of government.

Alan Paller

As Paller told me last night, Internet attacks on government computer networks have become a constant threat, an intense storm that’s not just rattling windows and doors, but also breaking into sensitive government computer systems that store data about U.S. technology. It is a warning he often makes. Yet one reason why SAIC is becoming so crucial stems from testimony he delivered just five months ago to the U.S. Senate Committee on Homeland Security and Government Affairs. In his presentation, Paller emphasizes two new realities about the nation’s cyber-infrastructure:

—Computer attacks by hackers, nation states (e.g. China), organized crime in Eastern Europe, and even terrorist groups have more deeply penetrated U.S. civilian government agencies and the critical national infrastructure computer networks (e.g. computers that control power grids) than has been publicly disclosed.

—The attackers are improving their techniques far faster than the U.S. government has been improving its defenses. In other words, the threat is increasing at an accelerating rate.

Paller contends that SAIC, with its institutional expertise in IT systems integration for U.S. intelligence and defense agencies, is way ahead of other defense contractors because “a lot of the guys with security clearances don’t have the necessary skills.” His insights helped give … Next Page »

Comments | Reprints | Share:          

You might think that all of the engineering brainpower in cities like Boston, San Diego, and Seattle is sucked up by high-voltage startups or by giant employers in the software, server, or semiconductor businesses. But proof that there’s plenty of surplus technological creativity in these regions is popping up in odd places like Willoughby & Baltic, a “hackerspace” I visited last month in Somerville, MA.

The group’s workshop—which was located until recently above a Subway sandwich shop in Davis Square and is in the process of moving to a former machine shop in Union Square—is essentially a clubhouse for geeks who like to build stuff in their off time. The “stuff” ranges from robots and other electronic toys to jewelry and interactive art installations—and to build it, members have collected a veritable museum of castoff equipment, from lathes, mills, kilns, and forges to soldering irons and spectrophotometers.

Like more than 50 other hackerspaces in the U.S., Willoughby & Baltic is built around the philosophy that it’s more fun to share tools, equipment, and ideas than to tinker alone in the garage or the basement. That makes it a living example of the “maker” epidemic, which got underway in the San Francisco Bay area roughly five years ago. The movement draws momentum from a burgeoning open-source hardware movement born in Europe, and is infecting new cities at a formidable rate. (Seattle is home to at least three hackerspaces—Hackerbot Labs, the 911 Media Arts Center, and Saturday House— and a group called Hackerspace SD is getting organized in San Diego as well.)

The founder of Willoughby & Baltic, who gave me a tour of the Davis Square workshop and gallery space back in April, is Meredith Garniss. Trained as an artist at Boston’s Northeastern University, Garniss long held various software engineering positions in the desktop publishing industry. But she left her job at digital font maker Bitstream in 2001 to paint, teach, and lately, hack hardware—a pastime she believes is best pursued in groups, where people can teach one another new skills. At any given Willoughby & Baltic gathering, a jewelry maker might end up sitting next to a hydraulics expert, leading to all sorts of crazy projects. “We were thinking about calling the group The Society for Soldering Things to Other Things,” Garniss jokes. “We don’t take any of this too seriously. We just like to have fun and build stuff.”

The hackerspace is actually the third or fourth incarnation of the Willoughby & Baltic brand, which started off as fanciful name for Garniss’s electronic typeface foundry in the mid-1990s, then went dormant for a while, and was then re-applied to the Davis Square garage space that Garniss turned into an art studio after leaving Bitstream. The studio evolved into a community puppet theater; the puppets went robotic; the theater group became the Boston chapter of the international hobbyist group Dorkbot (whose tagline is “People doing strange things with electricity”); and a group of Dorkbot members eventually decided to rent the second-floor space above the neighboring Subway and turn it into a hackerspace.

The Wikipedia definition of “hackerspace,” by the way, is “a real (as opposed to virtual) place where people with common interests, usually in science, technology, or digital or electronic art, can meet, socialize and collaborate.” The emphasis in hackerspaces is definitely not on the kinds of commercializable technologies that we usually cover here at Xconomy. At a recent interactive art exhibition hosted by Microsoft’s Startup Labs in Cambridge as part of the Boston Cyberarts Festival, for example, one Willoughby & Baltic member showed off a patch of artificial turf that responded to any touch with a growl or a rumble. The piece’s title: “Sod Off!” (You can read more about the Microsoft event in this Boston Globe article by D.C. Denison from May 18, and Wired‘s Dylan Tweney wrote a nice piece about hackerspaces for the magazine’s Gadget Lab blog back in March.)

As someone who long felt stifled by her various software jobs, Garniss has a theory about what attracts people to hackerspaces. “A lot of the people who come here at night or on the weekend went to work at high-tech companies thinking they were going to have a certain level of creativity, and they’ve come to feel over time that their creativity is being squashed,” she says. “But they still need a creative, collaborative environment—so they come here.”

On a typical weekend, a visitor to Willoughby & Baltic might find Garniss leading an “Arduino Bootcamp,” an introduction to the open-source Arduino electronics prototyping platform. A group of hardware hackers in Italy founded the Arduino project in 2005 as a way to … Next Page »

Comments (1) | Reprints | Share:          

Paul Graham may be the founder of famed Mountain View, CA- and Cambridge, MA-based startup academy Y Combinator, but he’s almost as well known for his monthly essays about the technology business. His latest edition, out today, argues that it’s no harder to get a technology startup off the ground during bad economic times than during boom times—and that, in fact, it may be easier.

The 1970s—a time of extended economic stagnation—saw the birth of both Microsoft and Apple, Graham points out. A startup’s most important tasks, Graham asserts, are finding the right people and making something that customers want. During a downturn, it may actually get easier to recruit great co-founders and software developers, since they may be looking for work. And during hard times, there’s a premium on any product or service that saves customers money—so startups, which often “make things cheaper,” are probably “better positioned to prosper in a recession than big companies,” Graham writes.

The big challenge for entrepreneurs during downturns, of course, is that investors are feeling lighter in their pocketbooks, and therefore more cautious. Most investors are lemmings, Graham implies: “Everyone knows you’re supposed to buy when times are bad and sell when times are good. But of course what makes investing so counterintuitive is that in equity markets, good times are defined as everyone thinking it’s time to buy.” The key for startup execs and staff, he says, is to be as frugal as possible with the money they do raise—and to stay brave. When times get bad, too many hackers get conservative and  “go to grad school” rather than diving into the startup world. But hackers are investors too, “buying stock with work,” Graham says, arguing that “like any investor, you should buy when times are bad.”

Comments (1) | Reprints | Share:          

VMware’s five-month delay in issuing a fix for a security hole that could leave three of its workstation virtualization programs vulnerable to takeover by hackers—and its elusiveness about announcing a patch date—prompted a Boston-based security firm to break with its usual practice last week and publicly disclose the problem.

Iván Arce, CTO of Core Security, whose engineers discovered the vulnerability last October, told us of his firm’s mounting frustration with VMware—and its concern for commercial users of the affected software—after we went back to both parties this week for more details of the disclosure. Arce says his firm doesn’t normally release its findings about vulnerabilities in commercial software until the vendor has prepared a patch. But in this case, given VMware’s lack of progress, Core Security felt obliged to publicize the bug so that users could protect themselves from potential hacker attacks.

“With every day that passes, the chances of somebody finding this on their own and exploiting it increase,” Arce says. “Instead of waiting for an official fix, we figured the best thing we could do was to publish the information and a workaround, so that people could protect themselves and implement the measures they think necessary.”

VMware (NYSE: VMW) is still working on a fix for the security hole. The company tells Xconomy that it has no specific date to announce for the release of a patch for the affected programs, which include VMware Workstation 6, Player 2, and ACE 2.

Nobody is accusing VMware, a subsidiary of Hopkinton-based EMC (NYSE: EMC), of negligence or foot-dragging. In fact, Arce says VMware is far from the worst vendor Core Security has worked with on a security problem. But it’s not the most efficient, either, he says. And the whole episode provides an interesting look at the sometimes awkward pas de deux between security companies and commercial software vendors that occurs after a vulnerability is discovered. This dance is usually hidden from view—but in this case it’s very public, thanks in part to Core Security’s practice of publishing the entire timeline of its communications with vendors when it issues a security advisory.

The vulnerability in VMware’s software relates to the “Shared Folders” feature of the Windows versions of VMware Workstation, Player, and ACE, which all support the creation of a virtual guest machine on a host computer—a computer-within-the-computer that can run a different operating system and applications than the host. The Shared Folders feature is intended to give users an easy way to transfer files from designated folders on the virtual computer to designated folders on the host computer, or vice-versa.

In March, 2007, security company IDefense Labs discovered a way to change the names of the targeted folders and save files anywhere. In effect, any hacker who already had control of the guest system could exploit this flaw to gain control of the host computer as well—violating the supposed isolation between guest and host that is a big selling point for VMware and other virtualization vendors. VMware patched the problem, but in the process of testing the patch last fall, Core Security’s engineers found yet another way to outwit the software’s system for filtering out invalid folder names.

Core Security notified VMware’s security team about the new problem on October 17, 2007. The response wasn’t exactly alacritous. Here’s Arce’s version: “VMware told us that they were planning to fix it with the next release of the VMware products in December. Then they told us that since it was the end of December [when many employees would be away on holiday] they would let it slip to early January. We said ‘Okay, no problem; we’ll just wait for that to publish our advisory, since we’d prefer to have a fix for a problem before we make it public.’ Just before January ended, we were informed that the date for the release had slipped to the second week of February. Then we heard that that date was not achievable anymore and that they were scheduling the release for the third week of February.

“In view of that,” Arce continues, “we said, ‘Okay, the developers’ estimates keep changing and now we have a new estimate. Since this may or may not be realistic, we should just publish this and provide a workaround for all users.’”

The workaround is simple: disable Shared Folders. And that’s exactly what VMware advised customers to do in a “critical security alert”—but it didn’t issue that alert until late February, after Core Security issued its own advisory.

I asked VMware whether Arce’s version of events squared with theirs, and whether they could … Next Page »

Comments | Reprints | Share: