I’ve spoken to four different investors over the last two weeks trying to get at least a small piece of an angel financing round being quietly pitched by Delicous founder Joshua Schachter. He’s raising just $1 – $2 million, we’ve heard, at a valuation that may be as high as $15 million.
Schachter sold Delicious, one of the definitive startups that re-energized the consumer Internet sector in 2004-2005, to Yahoo in 2005. He left Yahoo in 2008, and joined Google in 2009. He left Google earlier this year.
Entrepreneurs like Schachter are highly valued by investors. The success rate of repeat entrepreneurs higher than first timers. And one potential investor put it succinctly – “Even if the company fails, someone will buy it just to get Schachter. There’s no way we lose our money.”
So what’s the name of the new startup? That seems to still be up in the air. I contacted Schachter to get confirmation of the funding raise and to ask what the new startup will do. He won’t comment on the funding. But he did say he was tossing around a few ideas for the startup. His response:
I’m either going to launch an open source operating system for unmanned aerial vehicles, or build a first person shooter to teach non-violent solutions based on buddhist principles. Or a pet food review site. Which one do you like best?
We’re going to take that as a “no comment,” too. Although I think the U.S. government would just love to use an open source OS for its UAVs. I’d go with that one, Joshua.
AdMeld, one of several startups promising to help online publishers “optimize” their advertising, has attracted new backing from both the venture and media world. It just raised a $15 million third round led by Norwest Venture Partners, with contributions from Time Warner Investments.
New York-headquartered AdMeld said publishers use its tools to pull advertising from hundreds of ad networks, ad exchanges, and other sources, allowing them to show the ad that will make the most money from each impression while keeping out ads that might be damaging to their brand. AdMeld faces competition from startups such as the Rubicon Project and PubMatic, but it reportedly reaches 395 million unique viewers already, and its customers include Answers.com, Fox News, Pandora, and World Wrestling Entertainment.
In the funding announcement, Time Warner Investment’s Rachel Lam said AdMeld could be an important partner to the parent company.
“AdMeld commands the technology, team, and vision to help Time Warner’s online publishing groups maximize their value in the swiftly-changing online ad market,” Lam said.
AdMeld has now raised $30 million. Previous investors Spark Capital and Foundry Group also participated in the round.
Black Hat and Defcon have become the must-attend conferences for both computer security professionals and fringe hackers alike. I’ve been attending for a number of years and have always been struck by the stark contrast between the people attending, ranging from federal computer security experts on the one hand and mohawk-adorned rebellious teens on the other. (Pictured is Black Hat/Defcon founder Jeff Moss, also known as Dark Tangent). For all of our stories on Black Hat and Defcon, click here.
Defcon is in its 18th year and started in 1992, when Jeff Moss (above), threw a party in Las Vegas for about 100 of his hacker friends. It has since become the largest hacker convention in the world. Moss started Black Hat in 1997 and that conference draws a few thousand security pros and corporate security administrators.
Black Hat has plenty of controversy itself. This year, a Taiwanese researcher proposed a speech on hacking activities of the Chinese army. But under pressure from the Taiwanese government, he withdrew the talk. Somebody almost always pulls the fire alarm as part of the prankster tradition behind hacking. Speakers’ web sites are regularly hacked, and companies such as Cisco have pressured employees not to give presentations at Black Hat, which is held at the upscale Caesar’s Palace hotel in Las Vegas.
Defcon is a different animal, held at the downscale Riviera Hotel. Federal law enforcement agents arrested one speaker in 2001, a day after Defcon, for writing decryption software. Attendees are warned to stay off the wireless networks or risk being put on the Wall of Sheep, a projected image on a wall that shows usernames and partial passwords of those who have been “powned,” or hacked. At Defcon, you can pay for your badge in cash. The press is not allowed to take pictures of the crowd (Dateline NBC once tried to sneak a reporter in; she was caught and publicly embarrassed). There are physical lock-picking contests as well as cyber hacking contests. Guards are called “goons” and attendees, known as humans, delight in playing “spot the fed” competitions. I hope the photos below give you a good impression of what it’s like to attend these conferences in Las Vegas.
Barnaby Jack was the main attraction at Black Hat this year. He showed how to hack two automated teller machines on stage and got tremendous applause as the machines started spitting out “million dollar bills” that Jack had loaded into them. John Hering (left), chief executive of mobile security firm Lookout, and Kevin MaHaffey, chief technology officer, gave a presentation on how apps often access private information on smartphones. They pointed to apps such as an Android wallpaper app that sent your identification information to a web site in China.
Hacker “The Grugq” showed how he could hack into the GSM phone network and bring down a cell site. He said even emergency services were vulnerable. His talk was one of several that showed the vulnerabilities of GSM (Global System for Mobile communications, the protocol used in 80 percent of the world’s cell phones). Dan Kaminsky, who discovered a fundamental flaw in the internet’s address system in 2008, was entrusted as one of seven people who has a key to reboot the internet in case of a catastrophe. Kaminsky gave talks promoting the use of DNSSEC, or security extensions to the Domain Name System (which keeps all web addresses) to improve overall web safety. General Michael Hayden, the retired director of national security, said that the internet was not created to be defensible. “You guys make the cyber world look like the north German plain and then you bitch and moan because you got invaded,” he said. He said that one of the tough things about cyber war is that there is often no way to tell who attacked you. If a 15-year-old kid in China launches an offensive cyber war, do you hold the government of China responsible?
Moxie Marlinspike, a researcher at the Institute for Disruptive Studies, was disturbed at how you have to either give up your privacy when using the web or cell phones, or just drop out of society. He showed another path with a project that allowed users to surf Google anonymously and make secure web calls. A speaker named Rain talked about how to build a lie detector for a small amount of money and then beat it by controlling your emotional and physiological responses to questions.
After five years of running computer security at Facebook, Max Kelly quit three weeks ago. The former FBI computer security specialist said he believes that government and commercial entities should present a united defense against cyber warfare. Microsoft threw a party at the cool Vanity nightclub at the Hard Rock Hotel. I met with Dave Forstrom, director, Microsoft’s Trustworthy Computing Group, for an interview. He said that the company’s disclosure of bugs in its operating systems and software have worked pretty well in the past few years. Now, it will release vulnerability information to third-party partners — including antivirus vendors and other companies — ahead of time so that they can come up with fixes before the bad guys can get their hands on the information. There are now 65 partners participating, including Adobe, which will share its vulnerability information ahead of time with the partners.
And yes, I suppose this good news from Microsoft was cause for much rejoicing. Here are some party goers dancing away at the Microsoft event. Microsoft said that the number of vulnerabilities found on its systems remains far smaller than those found elsewhere. More scenery from the Microsoft party at the Vanity nightclub. There are many distractions in Las Vegas. But by and large most people seemed focused on vulnerabilities. You’ll notice the stark difference from this slick scene at a Black Hat party and the imagery at Defcon.
Amazon.com had job openings in security. It used this computer science programming puzzle to try to recruit new employees. Here’s another scene from the Black Hat exhibits, where a company asked hackers to assemble a little robot for fun. It was another interesting way to find job recruits. Can you smell the money here? Bahram Yusefzadeh, chief executive of Red Lambda, and Rob Bird, chief technology officer at Red Lambda, were quite pleased to raise $10 million in new funding for their grid-based security platform, AppIron. At the show, they announced the FireGrid unified threat management service to use grid computing solutions (treating lots of unused computers as one big supercomputer) to deal with all sorts of security threats. The future, they say, isn’t just in the internet cloud; it’s in the grid. David Marcus, director of security research at McAfee, got a few tattoos so that he could get VIP entrance to the McAfee party. At a pre-party reception, he mentioned how his daughter played a joke on him by grabbing his iPhone and telling the world that she had just powned her father, the security guy. Marcus laughed that off and noted how all of the interest at the show was moving to concerns about mobile security, as smartphones become the new computers. Garry Pejski, a 31-year-old security consultant from Toronto, told the Defcon crowd a cautionary tale about how in his early career he wrote spyware that tricked people into accepting junk software installs and pop-ups. He said your honor is worth more than the money you can get from such jobs; but he cracked some funny jokes as well about how bad antivirus software was at detecting spyware. One of the many temptations in Las Vegas: the pool at the Hard Rock Hotel. At Defcon, the counterculture is alive. You can tell the mixture of cyberculture and anarchy in these T-shirts for sale at the event. Gamers, geeks and hackers. That’s probably a good description of the 10,000 or so folks who attended Defcon. Chris Paget, an “ethical hacker,” tried to read radio frequency identification tags from the 29th floor of the Riviera Hotel. He pointed his high-powered antennae at a guy with tags on the ground. He could detect the tags, but could not read the serial numbers on the tags because of the Las Vegas heat. Still, his point was a good one. It makes no sense to put identification data in RFID tags such as U.S. passport cards. In the recreation area of the Defcon conference, you could get your very own mohawk. I decided to pass. I stopped at the Wall of Sheep to check to see if any of my passwords were on it. Fortunately, I turned off both my laptop’s Wi-Fi and my iPhone’s as well. Many other people failed to do so. Breaking into computer networks isn’t the only thing you can learn at Defcon. You can also take classes on lockpicking physical locks as well. Chris Paget had to put up warnings throughout the Riviera Hotel saying that he was going to hijack the cell phone network there for purposes of demonstration. He managed to do so, getting dozens of GSM phones to log on to his makeshift GSM network. The point he made is that GSM is a flawed technology and that you can intercept calls on it. Meet the hacker’s best friend: Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, which often defends the rights of hackers to do research and protects them when the government comes after them. She talked about the EFF’s efforts to win consumers the right to jailbreak their iPhones, or put unauthorized software on it for their own personal use.
Charlie Miller, a security researcher who talked about how North Korea could build a cyber army to beat the U.S., doctored a photo of North Korean dictator Kim Jong-Il and his generals having a laugh. Miller predicted it would cost $45 million and two years of work for North Korea to set up a fearsome cyber army.
The crux behind game mechanics is the feeling that you’ve accomplished something; “Whether you’re clicking on a plot of land or a musical note, that is an accomplishment” says Social Gaming Network’s Shervin Pishevar. Social gaming gives you the opportunity to share these goals with your social graph so that many people see them, as well as the chance to work on these accomplishments collaboratively.
Pavlovian mechanics are crucial. It’s important as a user to feel like the time that you spent came up with a result, social elements like being able to see how you did with other people, and being able to play with other people play into this. Integration with music also creates an emotional linkage, one thing responsible for Tapulous’ success was the functionality to apply multiple songs from artists like Justin Bieber to Lady Gaga.
Decrem elaborates, “There’s an actual science around how to engage and monetize users, the Farmville harvest mechanic, for example. On mobile, its ‘the x factor’ does the game have magic?” What we’re now seeing is what happens when the science of game mechanics in social games is combined with the quirkiness of what you see on the iPhone platform.
According to Seth Priebatsch, new employees at SCVNGR memorize a deck of 50 game dynamics like the progression dynamic, or earning points to make progress. They then can incorporate those elements into a game, “Humans love progress bars, if you see a progress bar, you want to complete it.”
How will games increasingly square with the real world?
Currently all the value creation happens mostly on Facebook, but that will soon change. The panelists all agreed that this recent integration of social and mobile is beginning of a new computing platform, mainly due to the capabilities introduced by the iOS. Killer apps on this new platform will need to incorporate both a social element and an entertainment element in order to survive.
According to Pishevar, SGN is “Working on things where you’re placing your phone in the real world and seeing 3D characters walking down the street, games where you have a garden in your actual physical yard that you’re actually tending to and it’s growing and you can see it on the iPhone.“
Decrem elaborates “There’s no difference to me between playing Tapulous on the iPhone and using my Starbucks card in the morning, wanting to get 15 stars so I can get a free coffee … “
Real life rewards for online behavior are a force to be reckoned with, and will increasingly become more prevalent as developers continue to experience success with them. Yelp for example, saw their usage skyrocket when they incorporated the Check-in element. “You’re checking in with a physical card instead of a mobile. We haven’t invented anything new.”
Says Priebatsch “We are bringing one very new thing to the game framework, the open graph API. Social traffics in connections, games traffic in influence. By applying that to the real world, we are building a platform that traffics in motivations and rewards.”
In what new ways can these game mechanics can be applied in the future?
“We’re really in the first or second inning on the mobile side,” says Pishevar, “The level of creativity and fun that’s coming is incredible.”
Should businesses rush to apply social mechanics? “It’s just natural evolution,” says DeCrem. Businesses developing a product should ask themselves, How about if you can connect with your friends? How about if we make it fun?
Piveshar’s one criticism is that the gaming industry could do so much more. “Because of the social graph many have cut corners of quality in order to monetize; We’ve got hypergrowth. Lots of millions have been created and its time to give something back.”
Acker brought up the idea of games that cure cancer as one way social gaming can actually benefit society, referring to HopeLab’sRe-Mission and Zamzee, “It doesn’t matter how many brochures you show a kid, he’s not going to want to [go to chemo]. But when you build an avatar called Roxy, have her shooting the cancer cells, and then when she feels feel weak you go get her a chemo tap … It’s incredibly powerful.”
Elements of gaming engender powerful emotions; Chemotherapy can become a positive thing and cancer becomes something you can beat. And that’s pretty formidable.
You know what’s getting old? The debate about ageing.
In today’s Observer, molecular biologist Aubrey de Grey is interviewed about how he sees no reason why a human being alive today might not live to 1000. If the prediction sounds familiar it’s because de Grey – this time described as a gerontologist – was subject to a similar profile in Friday’s New York Times, thanks to his being a key subject of Jonathan Weiner’s book Long For This World: The Strange Science of Immortality.
Right here on TechCrunch, Halcyon Molecular’s William Andregg spoke to Cyan Banister about the need for humans to conquer death to allow us the time to reach the stars.
And of course, Ray Kurzweil has been at this stuff for years: according to a 2005 Wired profile “Kurzweil ingests 250 supplements, eight to 10 glasses of alkaline water and 10 cups of green tea. He also periodically tracks 40 to 50 fitness indicators, down to his ‘tactile sensitivity.’”
Christ.
Oh yes, go to any Silicon Valley party right now and you’ll find a scrawny huddle in the corner discussing the science of living forever: a topic that’s gone from fringe to hot to cliché in – ironically – less time that it takes a tsetse fly to start getting interested in girls. But then why wouldn’t it when the science of ageing touches on so many valley obsessions?
For a start, gerontology is a science. But it’s also hacking: human bodies aren’t supposed to live much beyond 80, and these are people who would gladly spend a weekend hacking a Furby to make it curse, just because it’s not supposed to. Bill Gates has described bio-hacking (deathhacking?) as the logical successor to computer hacking. More importantly though, Silicon Valley people are – by and large – massive overachievers. Company founders in their teens, rich by the time they’re 30, angel investors by 31, charitable foundation at 40. No wonder these people want to go on forever: just imagine what they could achieve by the time they’re 1030!
And so the research goes on, millions more dollars are poured in to deathhacking startups by rich-mortal-and-terrified benefactors, dozens more books are published on the subject and every day countless startup founders jump into their Teslas and speed to their “doctors” to pick up the latest batch of pills that they hope will keep them around until someone figures this shit out. And why not?
Here’s why not.
A few months ago I finished writing my book about living in hotels – a second memoir by the age of thirty, which is unwarranted by any measure. My deadline was January 1st, but I finally scraped past the finish line somewhere around the start of March. The truth is, I didn’t need the extra time: I’d already had a year to write the thing, and much of that time was spent dicking around in the name of “additional research”, most of which never made it into the final manuscript. But it’s generally accepted that authors never make their deadlines, and my publisher gladly gave me the 90 days grace I claimed I needed to complete the task.
By contrast, Lacy is about to hit ‘send’ on her second book – a book that required many thousands of miles of travel, hundreds of interviews and an immeasurable amount of actual reporting. And yet she’s delivering right on deadline. Why? Well, mainly because she’s more professional than I am, but also because her publisher (being a serious business publisher rather than a chilled-out literary one) is less generous with deadline extensions. They have a schedule to keep to. And, anyway, Sarah has other important projects to be getting on with and doesn’t want to waste time.
The difference between my behavior and Sarah’s is the classic “time taken to complete the task expanding to fit the deadline” curse. By knowing she’s working to a fixed deadline, Sarah is able to deliver a much more ambitious manuscript in less time than it took me to bash out a memoir for which the only research was getting up in the morning and waiting to see what happened next.
And it’s that same curse that takes us to the heart of the life extension myth: that if we can live longer, then we can achieve more. We blithely assume that it’s the success of Silicon Valley entrepreneurs that makes them fear death so much: they can’t take their wealth or success with them so they are desperate to stick around longer and longer to double and redouble it. But what if the truth is precisely the opposite? What if the real reason these entrepreneurs have achieved so much is precisely because – more so than other mortals – they were born with a keen understanding they are working to a fixed (if unknown) deadline? It’s that fear of death that makes them succeed, not the other way around.
Of course, by extending their lives – if there’s any hard evidence it’s possible, which of course there isn’t – there’s every chance that the current crop of entrepreneurs and scientists will continue achieving greater and greater things until they’re hit by a bus on their 10,000th birthday. Every day will seem like a miracle and they won’t want to waste it. But even so, that first gang of grateful near-immortals will be the only ones to feel that gratitude.
Subsequent generations will never have known the idea of a strict biological deadline – the need to overachieve while there’s still time – and so will be quite justified in taking things easy, diluting their work to fit the time available. Perhaps they’ll start their first company in their hundred-and-teens, they’ll be rich by the time they’re 3000, angel investors by 3100, charitable foundation at 4000? 40,000? Whatever.
But at least they’ll have more time to enjoy life, right? Not really. Apart from rabid over-achieving, there’s another thing that unites all life-extension obsessives: they look like death. “Medievally thin and pale,” is how the Times (quoting Weiner’s book) describes de Grey. Kurzweil spends his days glugging green tea and popping pills, not eating to excess and avoiding recreational drugs. One can only imagine how much fun life would be if you had to live like that for 1,000 years. And by ‘one’, I mean Dante.
So, please God, let’s put an end to this deathhacking nonsense. Let’s flush the pills, stock up on recreational drugs, drive fast cars, work long hours and stay inspired by nature’s crippling deadline to achieve greater and greater things in our fourscore years and ten.
After all, to paraphrase Hippocrates – the original doctor – vita might be brevis but, done right, ars can be very, very longa indeed.
On Friday at our Social Currency CrunchUp, Groupon CEO Andrew Mason sat down for an interview with our own Michael Arrington and Erick Schonfeld. Mason touched on Groupon’s history — including some dabbling with slippers with flashlights, and also gave some insight into the company’s growth as well as his view on the competition.
During the interview, Michael revealed that he’d heard that Groupon was generating $1 million in revenue a day — Mason played coy and didn’t appear to confirm this. However, he did acknowledge that the company is getting a gross margin of 50% or higher, going on to say “it’s a cool business”.
It’s safe to say that Mason, at least publicly, isn’t overly concerned about Groupon’s potential competition. Asked about the possible entry of Google into the market, Mason facetiously responded, “Google, Oh My God!”. And Mason said that Amazon (and Woot, which it recently acquired) were primarily focused on consumer products, while Groupon caters more to local businesses.
Asked about Tippr, which acquired a number of patents relevant to this space, Mason said that Groupon has “had people look at us to see if [the patents] applied and they don’t.” Mason also doesn’t worry much about clones — the company started seeing them pop up in March 2009, but Groupon doesn’t actively do anything about them because “the basic idea of Groupon is not something we can patent” (though they do go after companies that infringe on its trademarks, like its logo).
Other key stats Mason talked about:
Launched in November 2008
A year ago today, we were active in 5-6 cities
Now running in 170 cities in 22 countries
Over 1000 employees now
About 12 million people getting daily email. Adding 2 million a month
97% of businesses featured want to be featured again
Breakage rate is probably around 10%, though Groupon doesn’t directly track it
Asked about advertising on Facebook versus Google, Mason said that six months ago Facebook was often cheaper. However, that’s changing. Mason explained that in the past, when he wasn’t really focused on the Silicon Valley scene, he would look at Facebook’s valuations and not really see how it could warrant them — but now that he’s an advertiser on Facebook, he thinks “they’re going to be worth a lot of money”.
Also see our recent interview with Mason on TechCrunch TV right here.
There were plenty of headlines this week about the lack of security in our various computer networks, from mobile phones to social networks. Here’s a roundup of the week’s news about security technology from the hacker conferences Black Hat and Defcon in Las Vegas.
The most controversial story we ran was about an Android wallpaper app that takes your personal info and transfers it to a site in China. We had to correct the info about the data that the wallpaper app used, but it sparked a larger discussion about how app makers often don’t properly disclose what personal data they are using.
Charlie Miller gives a talk on “How North Korea could build a cyber army to defeat the U.S.” The tongue-in-cheek presentation is pretty frightening.
Digital fingerprints could give away the identity of virus writers. Greg Hoglund finds that patterns in virus-writing tools and other software can leave a trail for investigators.
Seven security experts get the key to reboot the internet in case of catastrophe.
China may overtake Japan to become the world’s second-largest economy this year. On its heels is India, and countries such as Brazil and Russia are not far behind. What does this mean for entrepreneurs? That, increasingly, the big opportunities lie outside the U.S. Most people aren’t aware of another advantage in emerging markets: you can freely leverage the wealth of proven intellectual property that has already been created in developed economies. Most countries outside the U.S. and Europe lie in a Patent-Free Zone—where companies have not filed patents because they believe there is no market for their goods. So this intellectual property is available to anyone in those nations who can find a use for it.
Take the iPhone as an example: it has over 1000 patents; yet Apple does not apply for patent protection in countries like Peru, Ghana, or Ecuador, or, for that matter, in most of the developing world. So entrepreneurs could use these patent filings to gain information to make an iPhone-like device that solves the unique problems of these countries. Apple has so far received 3287 U.S.-issued patents and has 1767 applications pending: a total of 5054 (for all of its products). Yet it has filed for only about 300 patents in China and has been issued 19. In India, it has filed only 38 patent applications and has received four patents. In Mexico it has filed for 109 and received 59 patents. So even India, China, and Mexico are wide-open fields.
Now consider diabetes technology. At the end of 2009, there were more than 12,070 patents issued or pending in the U.S. In Jordan there were only 36, and none were filed in most of Africa. Big pharma considers these markets either too small or too poor; it also hasn’t produced affordable drugs for the millions of desperate people who are increasingly suffering from disease in Africa and the developing world. But there is nothing stopping entrepreneurs from completing these tasks. The blueprints are readily available in the U.S. patent database.
JiNan Glasgow, a North Carolina–based patent attorney and CEO of NeoPatents, has been researching the global patent system and developing technologies to explore and map the patent databases. She found that only 5–10% of patents that are filed in the U.S. are actually used to provide commercial value. The rest go to waste.
Glasgow also found that most U.S. companies have been ignoring emerging markets and not filing any patents there. When she compared the geography of patent filings with the UN Human Development Index, she noted a strong correlation: the richer the country, the greater the number of patents. This means that the wealth of the developed world’s intellectual property is freely available for use in the emerging regions, where patents are not filed. Glasgow called this the Patent-Free Zone—which covers most of the world, except for the U.S. and Western Europe. BRIC countries (Brazil, Russia, India, China) have only recently seen increases in patent filings—so all the patents filed in the U.S. over the past few decades are still within the free zone.
The way the patent system works is that when you have an idea that is new and unique and you want to protect it, you file a patent application with the United States Patent and Trademark Office (USPTO). If the USPTO determines that you are indeed the original inventor, it grants a patent, a temporary monopoly that stops others from making, using, selling, offering for sale, or importing your invention in the U.S. for 20 years. But this is only in the U.S. To restrict people in other countries, you need to file a patent in that country, and to do so within one year of receiving a U.S. patent. Most U.S. inventors don’t care, because they are focused on local markets. But multinationals do usually file patents in every country where they expect to do business. It is legal for anyone in the countries where patents aren’t filed to use these ideas. And this opens up big opportunities in those countries.
Take desalination, in which GE is one of the largest players. GE has spent more than $4.1 billion to acquire its part of the desalination business. Yet a decade after commencing, they’re still nowhere close to making desalination affordable and sustainable. GE’s progress depends on the patents it owns. As of 2009, GE invented 47 of the 832 U.S. patents in this field—just 5.6%, or a little more than one-twentieth. Consider the progress that GE could make if it could also use any of the patents that it doesn’t own—of which there are many.
How much better would the world be if we didn’t have to spend another ten years waiting for innovation in the desalination space? There are many areas of collaboration in the Patent-Free Zone that could produce innovative solutions for our world. Solar power, electric cars, mobile technologies for the poor, disease eradication, medical devices, food processing—to name a few. Wouldn’t it be ironic if poor countries ended up solving the problems of the rich? And I’ll ask my entrepreneur friends the same question I’ve asked before: What’s Better: Saving the World or Building Another Facebook app?
Editor’s note: Guest writer Vivek Wadhwa is an entrepreneur turned academic. He is a Visiting Scholar at the School of Information at UC-Berkeley, Senior Research Associate at Harvard Law School and Director of Research at the Center for Entrepreneurship and Research Commercialization at Duke University. You can follow him on Twitter at @vwadhwa and find his research at www.wadhwa.com.
Garry Pejski did some penance yesterday. In a room full of his peers, he admitted something that he was ashamed of. He told the crowd of hackers and security researchers at the Defcon security conference in Las Vegas that he once wrote spyware, or software that spies on people and tricks them into doing things.
Living in Toronto, the 31-year-old has since reformed and now writes custom software and tests security for power plants. But his time spent as a spyware developer in 2004 has haunted him for years. His tale is a cautionary one for young hackers, and it offers a rare glimpse inside the shadowy world of spyware, a massive underground industry which dances on the edge of legality. (See our roundup of all Black Hat and Defcon stories)
Six years ago, Pejski was an unemployed programmer living in Vancouver.
“I was broke,” he said. “My money was running out. I was getting a bit desperate. I had no security technology background. I was just a developer.”
Pejski had a two-year technical degree and a bartending certificate, so he wasn’t in high demand. On Craigslist, he found a listing for a job as a programmer. He applied and did an interview on a Thursday. His boss, a 19-year-old kid, told him to start working the following Monday. Pejski seemed to know the most about programming, so he was appointed lead programmer on a team of five people. The kid was paid by somebody else to run this shady business, which actually had pretty nice offices. Before, the kid had been using an outsourced programming team in India, but it didn’t work out. There was a falling out, Pejski found out later, because the kid never paid the team in India for the code they created.
That’s why the local Canadian team was put together. They were told to build spyware. Pejski didn’t know anything about it, but he joined a security email group and read up on the subject by doing Google searches. He found that it didn’t take much skill. They created a spyware program that tricked people into clicking on a link, which would then initiate the installation of a software program on the user’s computer. That software gave Pejski’s team the power to take over the machine. Pejski’s software could change the home page of the computer, modify the search provider, initiate pop-up ads, and install new programs. Pejski (pictured below) declined to name the company he worked for or his boss.
How the spyware worked
The big task at hand was to get the spyware installed on a computer so that the user or protection software wouldn’t notice it. The spyware server software ran on servers in Russia. The Russians guaranteed that no one would ever succeed in shutting down their servers, and that turned out to be true. Technically, Pejski’s team programmed in Visual C++ and created ways to hide their files from users who would go searching through their computer hard drives. The spyware software could be installed by exploiting a bug in a file that was associated with the Windows Media Player. That bug persisted for years until it was fixed in the middle of 2004. The bug allowed the spyware to remotely take control of a user’s machine and pretty much do whatever it wanted to do. The spy program was hidden in an IFrame, or a microscopic box that was invisible to the human eye.
“Basically, we owned your machine if you got hit with the spyware,” he said.
Once it popped up on a user’s screen, the spyware was hard to evade. When a user clicked on an ad that advertised it, a pop-up screen would appear, advertising a “browser enhancer.” The box explained, “Congratulations! You have been awarded a browser enhancer” that would provide considerable amounts of software “free of charge.” There was a link on the page to about 20 pages of terms of service. That link is what Pejski’s boss said kept the whole thing legal. It disclosed in fine print everything it would do. That was the legal escape valve. If the spyware company were ever questioned in court, it could say that it told users everything that it was going to do to their machines. Pejski didn’t bother finding out the truth about the legality of the spyware and the disclosure statement at the time.
“This wasn’t hard at all,” Pejski said. “All you needed was no conscience. The business attracted the worst scum bags.”
Pejski’s boss told him that the software was legal. Users saw a page that looked like a pitch for free software. If they clicked on the “X” before they unchecked a question box, the software would install anyway. If they unchecked the question box, and then clicked on the X, the software would install. It was only if the user clicked on the left side of the box and unchecked the question box would it fail to install. Every time the pop-up appeared, it pretty much led to the installation of the software.
On the server side, Pejski could see reports of how fast the spyware was spreading on a daily basis. Pejski’s team had experimented with antivirus software at the time. If the spyware program had remained unchanged each time it was installed on a user’s machine, antivirus software would catch it. But Pejski got around that by making each software installation unique. The software, for instance, created random filenames on the computer as it installed itself. No malware protection software was able to detect it. There were other tricks that Pejski’s team used, but he chose not to share them with the Defcon crowd. Pejski doesn’t know if today’s antivirus software is smart enough to catch such morphing programs. The antivirus vendors themselves say they can catch them; one technique that works well is “whitelisting,” where users are allowed to visit only pre-approved clean sites. If they click on spyware, they are warned of a problem; Microsoft’s Windows 7 has such warnings in place, though they’re not particularly easy to use.
A money-making scam
Pejski’s boss and his boss’s boss had a scheme to make a big pile of money through “affiliate hijacking.” This was an abuse of affiliate referral programs run by companies such as Amazon.com. The spyware would redirect the user to a web site that was selling something. If the user clicked and bought something, then the seller kicked back some money to the referring site, which was the spyware program. If you were a fan of Twilight, for instance, you would click on “buy Twilight merchandise” and the site gets credited for a sale. There were hundreds of different affiliate sales deals.
Thanks to its deceptive trickery, the spyware software was installed on more than 12 million machines. But the affiliate deals led to not a single dime of revenue. The anti-fraud departments of the merchandise sellers were on to the spyware vendors. While the sellers made money from all of the referrals, they refused to pay any money to the spyware companies that made those sales possible.
“They took the consumers’ money, but weren’t willing to pay the scam artists who made the deals happen,” Pejski said.
As a result, the company started running dry on money. But Pejski’s boss made a lot of money. That was because the scam that worked was “pay per install.” That was a deal where companies paid the spyware company 10 cents for every program that it succeeded in installing. So something like 20 software programs were installed on a machine every time that the spyware was installed itself. Sometimes, the spyware creators got so greedy that they would install tons of software that completely bogged a computer down.
The installations were comic. There might be a bunch of search tool bars installed, each affiliated with a different advertisers. The software programs would try to uninstall rival software. Some would even install antivirus programs that deleted everything else except the spyware. The customers who paid the spyware company per install would pay for about 60 percent of the installs. Based on 12 million installations, with about 20 programs, and payment of 10 cents each for 60 percent of the installs, Pejski calculates that someone made $14.4 million from the spyware installs, which happened in a relatively short period of time.
Somebody got rich off of this kind of scam. But it wasn’t Pejski. One day, on a pay day, Pejski’s boss didn’t show up at work. The company shut down. Apparently, the boss had gambled the money away and never paid the programming team again. Pejski still needed work, so he went to work doing the same thing for the boss’s boss. The other programmers went off to start their own company. Pejski worked on his own, putting in 80 hours a week. He made enough money to get started on a search for a real job.
The hard lessons of creating spyware
The problem was that, once he had a little money in his pocket, Pejski had a conscience.
“I like to be able to sleep at night,” he said. “This stuff we were doing goes on grandma’s computer and victimizes her. The reason I am giving this talk is to say that it is not worth compromising your ethics for money. I was broke. I knew it was wrong. It was just not worth it.”
He made the switch to working on legitimate software. On his resume, he put down that, at this time during his career, he was doing “contract work.” Pejski said that during the whole time the spyware company operated, it was never threatened with prosecution. He is now a consultant and programmer.
Pejski said he isn’t sure how to put an end to spyware. He isn’t confident that antivirus software will be able to purge the ever-evolving spyware programs and other malware. He believes whitelisting will help, but that limits what kinds of sites users can visit. For neophyte users who aren’t technical, that might be acceptable.
As he closed his speech, Pejski got a huge round of applause. Though he was nervous, Pejski held the crowd spellbound. Defcon was a good place for Pejski to tell that story, since it is full of impressionable young hackers who want to make a name for themselves. To make sure they got his point, he repeated it.
“Creating spyware is not hard,” he said. “You can easily make a lot of money on the internet. if you have no scruples. Stay away from the scum bags, because they will rip you off. Your honor is worth more.”
I’ve spoken to four different investors over the last two weeks trying to get at least a small piece of an angel financing round being quietly pitched by Delicous founder Joshua Schachter. He’s raising just $1 – $2 million, we’ve heard, at a valuation that may be as high as $15 million.
You know what’s getting old? The debate about ageing.
China may 
JiNan Glasgow, a North Carolina–based patent attorney and CEO of 
