Fatal System Error (12 page)

Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

BOOK: Fatal System Error
12.96Mb size Format: txt, pdf, ePub
Barrett’s departure could not have come at a worse time for Prolexic. The company was about to take on its most unusual client, an anti-spam firm based in Haifa, Israel, and in Silicon Valley’s Menlo Park, where venture capital firms had invested $4 million in it. Blue Security Inc. had a radical idea for stopping spam. Over the course of a year, it compiled a list of 450,000 email addresses of people who wanted to be protected. Blue Security then contacted major spammers, telling them to purge Blue Security’s clients from their target lists. If they refused, the security company warned, the free software on its clients’ machines would send “opt out” requests simultaneously to the spammers, in effect launching a vigilante denial-of-service attack on the mass-mailers. Impressively, many of the spammers complied, and some longtime spam foes hailed Blue Security as the culminating triumph of tech-savvy volunteerism that could save the Net from a host of ills.
Much remains murky about what followed, including exactly which spammers fought back. But Blue Security clearly had not thought everything through. For starters, it had assured clients that the email addresses they provided would be encrypted for their privacy. The idea was that spammers willing to purge their lists would have to submit their own roster to Blue Security for cleaning. But it was child’s play to do that and then compare the two lists, making it apparent which intended recipients were working with Blue Security. Those people then began getting emails with threats like “You cannot participate in illegal activities and get away with it” and “You will end up receiving this message, or other nonsensical spams 20—40 times more than you would normally ... just remember one thing when you read this, we didnt do this to you, BlueSecurity did.”
In a series of instant-message chats with Blue Security, a spammer calling himself Pharma Master, presumably one of the many specialized in peddling counterfeit medications, threatened worse: “u started with my and my people and my staff, you shall get hurt first to feel who we are ... how about each time you play games I’ll hit your company? ... I wish you can have 10 million of users so my people can infect them and with the short period we’ll be recording the ddos ip’s and make sure to infect this users and make them ddos you.” And in a spammer IRC channel monitored by security professionals, the bad guys egged each other on: “Guys, download the DB [database], spam it, compile your lists with it and trade it around. Use them as froms, mail your anti [spammer] DB with them, do whatever you want. Let this database leak to the point all these stupid ass fucks have to get new e-mail addresses. Adios bluefreaks.”
Blue Security did next to nothing to prepare for the easily anticipated DDoS attacks against it. Its main website was hosted in a conventional facility, sharing a server with many other companies. In early May 2006, one or more spammers knocked Blue Security offline. The company then redirected people trying to reach its main website to a blog hosted at
TypePad.com
, where it could update clients on what was happening. This was, to say the least, inconsiderate. The DDoS assault naturally followed the switch, taking down not just Blue Security’s blog but 2 million others associated with the popular TypePad blogging software. A similar fate befell Toronto Web services company Tucows, which provided domain name services for Blue Security. Hundreds of thousands of other Tucows clients were shut down. Twelve hours later Tucows dropped Blue Security like a hot potato, ending the attack but leaving Blue Security without a website that anyone could find.
Only days later did Blue Security do the obvious thing and hire Prolexic, which got Blue Security back in the game for more than a week. It wasn’t an easy task. Not only did the spammers continue their industrial-strength DDoS attack, they sent unsolicited mail that appeared to come from Prolexic, which prompted many spam filters to start rejecting legitimate Prolexic emails. Yet the defenses held, according to Joe Daly, which is why it was very strange to hear Laslop’s end of a phone conversation with the head of Blue Security on May 16. CEO Eran Reshef said that he was giving up. When a surprised Laslop relayed the news, Daly didn’t get it. “Why? They’re up right now,” Daly told his boss. Laslop said he thought Reshef’s life had been threatened.
Blue Security’s site stayed up long enough for it to post a cryptic goodbye message. “We determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take responsibility for an ever-escalating cyberwar through our continued operations.” The company stopped doing business, and the previously media-friendly CEO never gave any interviews about why he quit. It could have been death threats, fear of legal repercussions, or concern for the fate of Blue Security users. But perhaps Reshef knew what would happen next. Less than twelve hours after his unsigned farewell, the spammers launched a major attack on UltraDNS, the company that provided domain name services and backup bandwidth to Prolexic.
That assault put away Blue Security’s website and downed hundreds of other Prolexic customers as well. While the apparent order of events—a surrender followed by a catastrophic attack—left some room for quibbles, it appeared to reasonable observers that Prolexic had been beaten, badly and for the first time. “Goliath Wins,” proclaimed the
Washington Post.
Prolexic itself was down for hours, to the alarm of the security community. “If they can take down prolexic and KEEP them off-line, we are in trouble,” wrote one regular poster to an anti-spam discussion board at volunteer security group CastleCops. “The guy behind prolexic is a magnitude 9 genius. Let’s hope that is enough.”
But Barrett had been quietly gone for more than a month. A day later, after Prolexic got back up, Darren penned his own postmortem on Prolexic’s site. “We understand that once customers of Blue Security started receiving real threats of viruses/worms/DDoS/etc. attacks against their own networks, Blue Security realized that they were putting many other businesses in jeopardy by continuing the fight with the spammers. Not wanting to escalate the war on their customers, Blue Security, understandably but regrettably, decided to exit the anti-spam business on May 16th.... Currently Blue Security has taken their site offline, to avoid themselves being responsible for any further attacks on their customers. Whether or not you applauded Blue Security for taking the fight to the spammers, I’m sure you’ll agree that it is a sad day when criminal spammers win. Blue Security will be missed.”
Things might have been different if Barrett had been there. At a minimum, Prolexic would have gone in fully armed. That’s because Prolexic’s initial deal with UltraDNS allowed it to rely on all of that company’s bandwidth, which could have absorbed the attack that felled Prolexic in May. But UltraDNS wasn’t happy with the terms of that deal, since it let Prolexic resell UltraDNS connections for less than what UltraDNS charged its own customers. In fact, UltraDNS had been watching Prolexic grow with no small amount of jealousy, and it had recently introduced its own denial-of-service offering, sending a sales executive to court the same gaming firms in Costa Rica that had been Prolexic’s early customer base. Not long before Barrett left his company, UltraDNS complained that some of the attacks on Prolexic customers were putting too big a strain on its resources. It said the best solution would be to “quarantine” Prolexic customers on specialized UltraDNS equipment, ensuring that other customers wouldn’t be crushed by any overflow. “We really need to talk about getting your zones moved to a new set of dedicated ip addresses and servers so that we have a better shot at managing during a ddos,” wrote UltraDNS founder Rodney Joffe in February 2006, before Barrett moved back to California. Barrett thought for about a second before saying no: isolating Prolexic meant it could rely on far less of UltraDNS’s resources during an attack. In case Prolexic’s differences with UltraDNS escalated, Barrett drafted a contingency plan for Prolexic to get more bandwidth on its own.
As soon as Barrett left, UltraDNS made a renewed quarantine push, and this time Prolexic agreed. “Those guys were and are jack-asses,” Daly said of the top brass at UltraDNS. “They removed us off the servers. It was death for us.” A former UltraDNS employee admitted that the quarantine was rough treatment, despite what the company said at the time. “We didn’t have the best deal with them,” the former employee explained. “They were offering us as a package deal at way below what we charged.” The quarantine left Prolexic hopeless before the onslaught from Blue Security’s enemies. Barrett never said so in public, but the truth is that Prolexic might have beaten the spammers if he had still been on board. Though it’s impossible to know for sure, it certainly would have been an epic battle, and possibly something that changed the momentum in the war against the robot hordes.
BARRETT’S EXIT WAS JUST AS MESSY on the corporate side. Equinix, the big data-hosting company, offered to buy Prolexic for $10 million in July. Prolexic’s backers refused, and Barrett called a meeting of Prolexic’s board to argue the point. He got nowhere; Darren called the offer “terrible.” The issue of gambling clients, meanwhile, grew increasingly important as legislation to explicitly ban online wagering gathered steam in Congress. As passage looked more likely, Barrett called for another board meeting to consider whether all gambling customers should be dropped. “I feel the company is tainted by the associations with online gambling and no matter how ambiguous the laws may be, Prolexic must eliminate any risk it may have in the future by making a clean and precise separation from gambling business now,” he wrote on October 20, 2006. When no such meeting was scheduled, Barrett quit the board.
Unless they just wanted to frustrate Barrett, or to keep control of Prolexic to launder money, it’s unclear why Darren, Mickey, and Brian wouldn’t sell to Equinix. From early on, they had sought the opportunity to cash out. All the way back in May 2004, soon after Darren took over day-to-day control of Prolexic, he arranged a group meeting at the posh St. Regis hotel in Los Angeles with a man named Jonathan Strause, who had co-founded a small consulting and banking firm, Bellwether Group, that specialized in mergers and acquisitions. That firm was soon hired on, for at least $300,000, to develop a business plan, and Strause in turn arranged meetings with Wedbush Morgan, a bigger L.A. investment bank. It gradually emerged that Strause, for all his Wharton business school and McKinsey & Co. credentials, had previous connections to both Darren and Mickey.
After another meeting at the Clift Hotel in San Francisco, Strause had a few drinks and explained to Barrett that not everything he did was traditional. In fact, he had a sort of gambling hedge fund for investors on the side, which he directed toward what he thought were sure things. Strause also worked with Mickey to take over a bankrupt company that took bets on virtual horse races. Later, Mickey would tell Barrett that Strause had succeeded Darren in running Digital Gaming.
In 2008, Prolexic’s backers finally sold the firm for $10.5 million to a publicly traded Philippines Internet company called IPVG, which ran data centers and did outsourcing for Fortune 500 companies. One of its units was a Prolexic customer that also resold Prolexic services. Once again, personal ties played a role. IPVG’s deputy chairman was Roger Stone, a friend of Darren’s who had been CEO of gambling software firm IQ-Ludorum. A number of maneuvers watered down Barrett’s expected cut of the proceeds before that sale closed. Of the initial $3.5 million payment, for example, $1 million each was designated for repayment to Mickey and Brian for “loans” to Prolexic. Considering that Mickey and Brian had initially put up just $250,000 in total, the sale produced an extremely healthy return. Then again, the mafia has always done well in the protection business, and in this case, the protection was real. IPVG defaulted on its final payment, leaving Barrett with $400,000, a third of his promised payout.
5
CRACKDOWN
IN MID-2006, A MONTH AFTER giving all the information he had on Mickey Richardson and Ron Sacco to Paul Betancourt and quitting Prolexic, Barrett finally heard back from the FBI agent. Betancourt had been interested after all, but needed time to research what Barrett had told him. “It all checked out,” Betancourt said. He began asking a lot of questions, building a case against Prolexic’s investors and some of its clients. He and Barrett would talk almost every day during the next year. Barrett ran down all of Digital Gaming’s and Digital Solutions’ customers for Betancourt, and as Betancourt nosed around, he found one that was already in the crosshairs of a gambling probe being run by the district attorney in the New York borough of Queens. That investigation, involving a private, password-protected site called
Playwithal.com
, was farther along, so Betancourt decided to piggyback. “They wanted to use the Queens case as an excuse to get financial information on the people around Prolexic,” Barrett said. “They looked at it as a huge smorgasbord of bad stuff.”

Other books

Mare's War by Tanita S. Davis
Todo se derrumba by Chinua Achebe
Across the Wire by Luis Urrea
Rust by Julie Mars
The Soft Whisper of Dreams by Christina Courtenay
Maggie Undercover by Elysa Hendricks