Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Most security software defends PCs and websites by acting like a locked door to shut hackers out. A new security company, Mykonos Software, instead invites hackers in through a fake entrance and plays tricks on them until they give up.

“If you break in, I want to have fun with you,” says David Koretz, CEO of Mykonos. Koretz claims that the computer security industry is too timid—he advocates making hackers’ lives tedious and difficult instead.

Mykonos sells software intended to protect websites against attacks—like those on Sony’s websites last year that yielded thousands of credit-card numbers—aimed at gaining access to valuable data such as user credentials. When Mykonos’s software identifies an attacker, it tries to waste the hacker’s time by offering false data such as phony software vulnerabilities and fake passwords. This week, the 19-person company announced it had received $4 million in investments from a number of Web and technology company leaders, including Jeff Clark, the chairman of Orbitz.

The company’s software is aimed primarily at hackers who use automated tools that identify and exploit vulnerabilities in websites, says Koretz. Such tools allow even relatively unskilled hackers, sometimes dubbed “script kiddies,” to cause considerable damage.

Wasting assailants’ time “changes the economics” of attacking websites, says Koretz. “At the end of the day, there are a finite number of hackers, and if you break all of the automation, it becomes something only some people can do,” he says. “It’s a step towards making it more like bank robbery, a manageable problem.”

Mykonos software first needs to accurately identify attackers, to avoid breaking a site for legitimate users. The company’s software does that by using small snippets of code injected into Web pages, forms, and other data sent out to a computer accessing the site. The snippets are placed so that they will be altered by the most common methods used to probe for security vulnerabilities. When these snippets are altered, Mykonos’s software automatically notes the IP address of the potential attacker.

If an attacker is using a Web browser to probe a site, a small, tough-to-delete tracking file known as a “supercookie” is injected into it. If nonbrowser software is being used, the characteristics of the attacker’s computer are “fingerprinted.” When the same computer returns, the defense software knows and can respond appropriately.

22 comments. Share your thoughts »

Credits: Mykonos Software

Tagged: Computing, Web, security, software, hackers

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me