Then there's 28-year-old Matt Green, another Rubin protege from AT&T Labs. Rubin says Green was the most brilliant person in the AT&T Labs building without a Ph.D. Green also followed Rubin to Hopkins, where he earned a master's in computer science and honed his knowledge in wireless network technology and security.
Rounding out the team is Steve Bono, a 24-year-old "natural," Rubin says. Bono earned the only A-plus that Rubin ever gave in more than a half-dozen years of teaching. Bono, who also holds a master's in computer science, specializes in radio frequency technology and breaking into any system.
Just ask Mark O'Hare, CEO of Security First Corp. in Rancho Santa Margarita, Calif. Before launching his company's new security product, which breaks data into random pieces of a puzzle for storage, O'Hare hired ISE. For three months, Rubin's team tweaked product algorithms. They studied the system design. They pored over thousands of lines of code.
O'Hare says ISE has helped to speed up and strengthen the product's performance by finding better mathematical formulas to break up data in more random ways.
"They have a certain way of thinking through things," O'Hare says. "We think we have a world-class product. We wanted world-class people to tell us we are right."
In some cases, companies just want ISE to tell them how everything and anything can go wrong.
While there are many computer security companies that offer similar services, ISE's past headline-grabbing work and Rubin's reputation in the field have brought many clients to their door.
Fortify Software in Palo Alto is one of those companies. As a proponent of creating better, more secure software instead of relying on software that blocks spam or scans for viruses, Fortify developed a testing tool that simulates all manner of attacks on computer systems and roots out susceptible errors existing in source code. The company recently hired Bono to fly to California to help create the second version of its testing tool.
In that job, Bono's sole duty is to think like a hacker. Sounding more glamorous than it seems, he often sits at a computer terminal concocting ways to inject bad code into computer applications. The more ways he can think of to break into a system, co-founder Chess says, the stronger Fortify's testing tool will be.
"We've got a standard bag of tricks that our tool will automatically try," Chess says. "But Steve's got a depth of security knowledge that's proven useful to us. He comes up with a variety of ways to deliver attacks. He thinks about what can go wrong. He figures out what a bad guy is inclined to do. He finds your weaknesses."
It's sensitive work in a field filled with paranoid people, Rubin says.
Few companies want to talk about how ISE has strengthened their products. No one wants to talk about any mistakes ISE has uncovered. For that reason alone, ISE has to sign stringent nondisclosure forms before work begins. After that, most CEOs say they sit back and wait for the results as they hope their product stands up to the ISE test.
"If they don't find anything, you feel very good," says Seth Birnbaum, chief executive of Verdasys, a Massachusetts company that protects data from loss or misuse on laptops, desktops and servers. "If they find something major, how can companies not want to fix it? It's an expense that pays for itself in the long run. There's no security that's 100 percent effective, but what they're doing is helping you increase the strength of your product."
Since ISE's formation, eight companies have hired them. Six more are in negotiations for their services. Although much of their work is performed under contract to companies, the guys of ISE still enjoy doing research similar to what they did on voting machines and electronic payment cards. Rubin, for example, is expected to lead a new center at Hopkins that is being created with a $7.5 million grant from the National Science Foundation to study the reliability of voting machines.
"We consider it public advocacy work," Green says. "If companies make claims that their technology is unbreakable ... "
"There's nothing like a bunch of grad students showing them how to tear it apart," Bono says, finishing Green's thought.
"Yes, companies hate that," Green adds.
If that sounds a little cocky, they can't really be blamed. Rubin won't go into specifics about how much money they've made, but revenue projections for their first six months of operation are expected to hit a half-million dollars.
"I predict we'll make millions off this," Rubin says with a smile. "We'd like to do this for five years and then cash out, although I could see us continuing this if we're having a lot of fun. Right now, we're having a lot of fun."
Companies hire Avi Rubin to break into their computer systems -- and discover how to keep the data thieves out.
We've upgraded our reader commenting system. Learn more about the new features.
The Baltimore Sun encourages civil dialogue related to our stories; you must register and log-in to our site in order to participate. We reserve the right to remove any user and to delete comments that violate our Terms of Service. By commenting, you agree to these terms. Please flag inappropriate comments.