The Digital Skeptic: Hacker Barnaby Jack Knew Dollar Value of the Truth

NEW YORK ( TheStreet) -- Barnaby Jack knew better than anybody I'd ever met what to do when the information companies coddles turn to dust.

"I remember when I told Triton, one of the ATM outfits I'd analyzed, that, yeah, I could make their machines spit out cash," I was told a few years back by Jack, a so-called white hat security analyst at IOActive, a global information security research firm with an office in Seattle. "They actually took it in stride and said, 'OK, let's fix it.' That's not what often happens."

The native New Zealander, during a chance conversation at a San Francisco conference, explained to me patiently the intricacies of how with no inside knowledge of Triton's business he fooled a commercially available ATM into blowing money all over the floor.

"It's all public by now, so I can talk about it," he explained. "The machines aren't really that locked down. I could get a USB drive into one of 'em, upload some software. And that was that."

Now comes the sad part: As much as I would love to get Jack's deep, investor-focused dive into what to look for as companies and governments handle the never-ending stream of digital age security blunders, I can't. Tragically, this 35-year-old security genius died last week, just before the Black Hat security conference in Las Vegas.

" He was a compelling figure," Henry Schwarz told me on the phone -- which is about the last thing I would expect this man to say. See, Schwarz was the software project director for the Mississippi-based ATM maker, with more than 200,000 machines worldwide, that Jack took down.

"It is a blow," he acknowledged. "It is not just the damage to your products and your company's good name. But there is a deep, emotional cost to having your machine hacked."

And yet, Jack was somebody Schwarz came to admire.

"As much as they are the last people you ever want to hear from," he said, "when they knock on your door, you have to respect them as a legitimate security analyst and not to vilify them."

Fix It first. Fight about it later.
Schwarz has blogged and spoken about his experiences ridding thousands of Triton ATMs of the vulnerabilities sussed out by Barnaby Jack. And he has real lessons for investors who wonder if the security nightmare will ever end.

"The trick is not to panic," he said. The easy thing for an organization to do, he said, is to look for ways that don't face the hard technical problems. He's seen companies consider legal options or punitive civil actions in court or otherwise find some way to evade the hard work of solving a real problem.

"That just distracts from the issues the breach reveal," Schwarz said. "First things first, you need to issue a technical fix and patch the hole. That's the highest priority. The damage control comes later."

What's critical for investors to understand is how important that security story has become to some of the deepest pockets of the digital age.

"Security is as major a factor as any we consider in any investment we or any of our companies make," Alberto Yepez told me on the phone. He is managing director of Trident Capital, the San Francisco-based venture firm that has raised $1.9 billion across seven funds backing roughly 170 companies. "We do not make an investment until we do a full security analysis. And more often than not there are issues that have to be fixed."

Yepez can point to some serious reasons why he's obsessed with security. Starting back in 2008, Princeton, N.J.-based payments giant, Heartland Payment Systems ( HPY) lost track of roughly 130 million credit card identities. And in 2011 one of the premiere cryptographic organizations in the world, RSA, a unit of EMC ( EMC), had one of its core products compromised.

"Events of this scale are boardroom-level things that change the course of a business," he said.

What investors should learn to look for in the case of attacks, Schwarz and Yepez say, is companies that disclose quickly and are willing to cooperate with outsiders that find vulnerabilities, and -- most importantly -- show they are integrating security into their cultures.

"It is about including security in the development life cycle," Schwarz said, "and making that part of your default thinking process."

When I reminded Schwarz how rare the conversation is about the deep security issues looming in the information age -- the Army blaming Bradley Manning and not their own systems, for instance -- he sighed.

"The smallest investment in security in the early stages avoids of the expense of the catastrophic nightmare at the end of the project," he said.

"It is the obvious arithmetic of the stitch in time saves nine."
This commentary comes from an independent investor or market observer as part of TheStreet guest contributor program. The views expressed are those of the author and do not necessarily represent the views of TheStreet or its management.