Meet the Russian-American Hacker Who's on Your Side
WHY YOU SHOULD CARE
Because while curiosity might have killed the cat, it might have also made him really, really rich.
By Eugene S. Robinson
Hi Friend, it’s me, The Tick, and I’ve got exciting news! I have joined OZY as an editor — of the super variety! It’s a job with words, and grammar and stuff! Because there’s only one thing mightier than the pen: Me! And from Aug 25, you can watch me be mighty on Amazon Prime.
GI Joes? No. Nothing about the playworld of plastic dolls held much purchase for Michael Borohovski, a New York native and the only son of Russian immigrants who’d hooved it out of the Soviet Union for Israel as soon as they could. His interests trended toward the mysteries inside machines: “erector sets I could put together, or little calculators and computer toys I could take apart and play with,” explains Borohovski on a recent Sunday in the heart of California’s Silicon Valley. “I was interested in why and how things worked, rather than just that they did.”
An impulse that led to semi-typical pre-teen pursuits like magic, juggling, and keyboards, but also really atypical ones. At 9, Borohovski started figuring out Visual Basic and COBOL, inelegant programming languages that still have the power to baffle but that he was teaching his college sophomore sister. She never used them, largely due to a lack of interest, but Borohovski? A totally different story.
“It was a eureka moment for me because I could actually make my computer do stuff,” says the now-30-year-old. A Pentium 133 that Borohovski split the cost of with his parents was now making pretty algorithmic light shows. He was also using it for games, Sub 7 to be exact, and then, presciently, hacking games. “My best friends and I would have wars with each other where we’d steal each other’s accounts and try to one-up each other,” he recalls. “That was actually how we got better.”
Hacking is not a technical issue, it’s a political one.
The “we” being Borohovski and a friend who formed Intense Beta Elite, or IBElite, a site that posted screenshots of and info on leaked Microsoft beta releases and had tons of traffic, according to Borohovski — until the pair got girlfriends and started high school. Borohovski got into Stuyvesant High School — the most selective of New York City’s nine specialized high schools — that gathered kid geniuses from across the five boroughs and set them loose. By the time he was 16, Borohovski was interning at Morgan Stanley and running his first company.
“My family needed the money,” he says simply. His company, Glexicon Communications, a web hosting company and VPS provider, made the fatal mistake of picking up contracts from a failing company in the same space only to see its workload triple just as everyone on staff was taking SATs and trying to get into college. The upshot? The company died after 18 months, and Borohovski, who planned to join the military if he didn’t get into one of the two schools he’d applied to, headed off to the first to accept him: MIT.
And in short order internships at financial companies and Apple and trying to hammer out a plan while teaching computer science to Palestinian and Israeli kids in the Middle East. But it wasn’t until he graduated that a worldview started to coalesce. He was doing software security – vulnerability discovery and exploit development – for the defense and intelligence community at a company called ManTech, and hating it. Then he and Ainsley Braun, a fellow MIT grad, came to see that danger was literally everywhere. “We were constantly finding vulnerabilities in websites we used every day,” Borohovski says. “And we decided to stop them on the development level.”
That decision, taken in 2011, took the form of Tinfoil Security, which offered simple, automated security tools, precisely when the security space was heating up. Their company launch also dovetailed with Ken Ross, longtime Silicon Valley angel investor, turning his interest to DevOps. “Scanning apps that are being developed before they go to market,” said Ross, who put his money where his mouth was, “was a smart way to stop the bad guys before they could do much damage.”
Like by hacking an election? Borohovski, fluent in Russian, takes a breath and, speaking like a man whose pauses say as much as the sentences on either side, opines, “Putin’s main interest is staying in power, and Russia has always been aggressive regarding cyber-warfare. So has China and the U.S. But hacking is not a technical issue, it’s a political one. In other words: the means has always been there.”
A sentiment seconded by 99.44 percent of the folks on a well-traveled hacker’s forum on Reddit, where the general consensus is that even the smart folks are never quite smart enough. “Bad guys are going to get in wherever they want to,” says Stanford engineering PhD Albert Chang.
And while it’s not entirely clear that Borohovski and Tinfoil are in any position to stop them completely, that’s not really the point, says Nick Schilbe, a computer security expert and former senior director at WhiteHat Security. “Let’s assume the hacker or bad guy is a roach,” Schilbe says. “Most companies don’t have roaches but live in a neighborhood that can easily become roach infested. And all of them pretty much have holes in the foundation, leave food out constantly and have clutter everywhere.”
Which makes for a hell of a business model. One that Tinfoil Security, in the six years since launch, seems to have sold to tens of thousands of clients ranging from small businesses to the enterprise and Fortune 10 companies. Sold with the implicit understanding that you can pay the bad guys to work for you, in which case they become the good-bad guys (Tinfoil’s staff is 20 deep with another 15 hires planned for 2017). Or you can hope your luck doesn’t run out — though no one with a realistic grasp of the digital world appears to put much stock in luck.
“Look, my parents believed that everything had to be tried once, or you’d regret not trying it,” Borohovski says. “This philosophy has stuck with me.” The difference being that most hackers will try more than once, and from elections to business and the business of elections, it seems smarter to keep stuff safe than not.
“Security is very complicated,” Ross says. To which Borohovski might and did respond: “Well, it’s not supposed to be easy.”