5:10 PM

His dream is to be a lobster farmer someday. But for now, David Aitel is busy preparing to release his company's new hacking tool-on-a-PCI card that conveniently pops into a desktop machine.

Figure 1:

"You put it into someone's Dell, walk out of their office, and when they boot up... They are owned," says Aitel, founder and CTO of Immunity, which sells penetration testing tools and a Windows debugger. "How cool is that?"

Aitel, 31, is well-known in security circles for his vulnerability research and his popular Dailydave security mailing list, which today has some 4,000 registered users and isn't really about Dave ("Everything about it is a lie -- it's not all about me and it's not daily," he says), as well as for his belief in preserving ocean life.

Why a lobster farm? To protect them in their natural habitat, of course. And "to drive the price down," says Aitel, who lives far from shouting distance of Maine's lobster pounds -- in Miami Beach, Fla.

Aitel grew up in the Washington, D.C., area and got his first real job at 18, with the National Security Agency. An NSA work-scholarship program paid his college tuition at Rensselaer Polytechnic Institute, and he worked at NSA during summer breaks. Like any good current and former NSA employee, Aitel won't say what he did for NSA. "I was 21. It's been a long time and I doubt I can remember what I did," he deadpans.

He does, however, remember leaving NSA about three years after college because he "needed more money" than a federal government job could provide, so he went to work for @stake doing security consulting work. "I learned how to be and how not to be a consultant," he says. "Consulting is a tough gig."

Aitel says at Immunity, he's careful to keep the business as compatible as possible with employees' personal lives. "Immunity buys all of its consultants iPods for those long flights," he says. And he likes to be sure they strike a balance in the work they do on the job, too: When his security experts aren't on a client's site, they are engaged in Immunity product development.

"When they're not on a client visit, they're not reading Full Disclosure all day long," he says. "We don't want this to be a meat grinder -- people need to be taken off full-time consulting and do some product development or they burn out."

Aitel's work and home life can't help but intersect: His wife, Justine -- who previously worked for Internet Security Systems' XForce and later served as CSO of Bloomberg LP -- is his boss as the CEO of Immunity. What's it like reporting to his wife? "Who else are you going to trust to be your CEO?" he says.

His views on responsible disclosure are hard-line: "Typically, informing a vendor is a giant waste of time," Aitel says. "It seems like people spend a lot of time wondering how to best work for the vendors for free... If they are trying be profitable, they should think of other things, like how to help their customers."

Immunity only discloses the zero-day bugs it finds to its clients, not to the vendors themselves. "We do a lot of research when we do a pen-test... to find an '0-day' against your custom technology," he says. "We'll analyze a random printer DLL you have installed, write an exploit, and use that on your network," he says, to help companies better secure their environments.

And Immunity doesn't hesitate to purchase bugs from outside researchers, a practice that has been criticized as commoditizing research and encouraging black market bug sales.

"We have a unique position in that we're well-liked and trusted. These [researchers] are not selling their name, and they are easy to deal with," he says. Immunity usually works only with researchers it knows, but sometimes it does business with ones it doesn't.

"It's kind of like dating," he says of the careful dance Immunity must conduct with unknown researchers. "The first few times, we're a bit more cautious."

Aitel isn't sold on WabiSabiLabi's online auction for selling vulnerabilities, however. "I don't see anything on there worth bidding on yet," he says. "And I don't think the auction model is going to be successful, anyway." (See Microsofties Check Out Vulnerability Auction Site at Blue Hat and WSLabi Woos Microsoft.)

Meanwhile, the self-proclaimed geeky kid "who grew up to be a geeky adult" may have a geek-in-training of his own at home, his son Max. He says it's too early to tell since Max is not quite 2 years old. "He's fascinated by anything that turns on and off," though, he says.

Personality Bytes

Have a comment on this story? Please click "Discuss" at the bottom of this page. If you'd like to contact Dark Reading's editors directly, send us a message.