Security Researcher Spins E-Voting Notoriety into Gold

Avi Rubin, who made a name for himself exposing vulnerabilities in electronic voting kiosks from Diebold, is launching a private company that will find security problems in other products.

Security researcher Avi Rubin, who made a name for himself exposing weaknesses in electronic voting equipment, will soon be cracking open other companies products—for a fee.

The Johns Hopkins University researcher and a team of top graduate students have launched Independent Security Evaluators, or ISE, a private company that will find security problems in other products. The group is hoping to cash in on the notoriety they gained cracking the security of e-voting kiosks and tap strong demand for ethical consultants who are also skilled at breaking security technology.

Rubin, a Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins, first gained notoriety in 2003 after he published a technical analysis of e-voting kiosks from Diebold that showed the systems were vulnerable to hackers and vote manipulation.

Rubin says he was overwhelmed with phone and e-mail requests from other companies seeking his services after news spread about his analysis of Diebolds product and, more recently, of consumer RFID (radio-frequency idenitification) technology from Texas Instruments.

/zimages/6/28571.gifClick here to read more about Rubins discovery of security weaknesses in RFID tags from TI.

"People started coming to me and saying Analyze this, and How much do you charge? and I was like "We dont do this!" he said.

Rather than being turned off by the negative attention Rubins work earned for companies like Diebold and TI, Rubin said that people seeking his help admire him and his team for the work theyve done.

"These are companies who dont want to be the next target," he said.

Rubin will be joined at ISE by a cadre of top graduate students who will make up a kind of "A-Team" of security experts, each with a different area of expertise, on top of strong programming, engineering and technical skills.

Adam Stubblefield, who recently completed a Ph.D. in computer science at Johns Hopkins, is the teams resident expert on cryptography and crypto analysis. Matt Green, another Rubin protégé, brings expertise in wireless network technology and security, as well elliptical curve cryptography. Steve Bono is ISEs expert in electrical engineering and radio frequency technology—"the guy with all the antennas," Rubin said.

ISE, which began work in March, will do product stress tests and design analysis that Rubin calls "red teaming," in addition to code analysis.

Some of the companys earliest customers have been other security companies. Cryptography Research Inc. of San Francisco used ISE to evaluate its Self-Protecting Digital Content proposal for augmenting Advanced Access Content System (AACS), encryption technology that is being proposed for securing HD-DVD and Blu-ray format media, according to a statement from Applied Cryptography.

Companies are attracted to ISE because its members have proven expertise but are not ex-hackers with checkered pasts, Rubin said.

"There are so many so-called security experts popping up, but theres also a lot of pent up demand for true, trusted expertise that you dont have to worry about," he said.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.