Analytics
9/6/2007
09:33 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Researcher Ptacek: Thriving on Controversy

Renowned security researcher Thomas Ptacek has a knack for keeping it 'real' - and stirring the pot

Not many security researchers can say they were once threatened with legal action by firewall pioneer Marcus Ranum. But then again, not many researchers are anything like Thomas Ptacek.

Figure 1:

Ptacek, 30, is well-known for shaking things up in the industry while having a little fun along the way. "We like to stir things up to get people to think... to argue with us," he says. "We learn stuff that way, too. It's when you get challenged that your [work] gets refined."

His uncanny way of bringing arcane technology topics -- such as virtualization-based rootkits -- into the mainstream makes him a popular (and sometimes controversial) talking head at security confabs, and in the blogosphere. Not everyone in the industry appreciates Ptacek's sense of humor or his in-your-face approach, however -- and he knows it.

He concedes that his very public dispute with researcher Joanna Rutkowska over virtualized rootkits at Black Hat last month didn't really build any bridges between his camp (virtualization-based rootkits are detectable) and Rutkowska's (her Blue Pill virtualization-based rootkit is not detectable). (See Hacker Smackdown, Tool Roots Out Virtualized Rootkits, and Blue Pill Gets a Refill.)

Ptacek's talk at Black Hat was called "Don't Tell Joanna -- The Virtualized Rootkit Is Dead," a takeoff on the early '90s cult movie "Don't Tell Mom the Babysitter's Dead." The title didn't exactly resonate with Rutkowska.

"I take responsibility for that... [if] the respect and lightheartedness didn't transfer," Ptacek says. "I'm a fan of Joanna's work. She does amazing stuff. I would like that to have been a little bit friendlier."

Still, Ptacek has no regrets about triggering the debate itself. Publicly challenging Rutkowska's claims about her Blue Pill research has better educated the industry about virtualization-based rootkits overall, he says.

But the rootkit debate wasn't Ptacek's first run-in with a big name in the security industry. In 1998, Ptacek and his former colleagues at what was then Network Associates (and before that, Secure Networks) were finding vulnerabilities in intrusion detection systems (IDS) -- research that didn’t exactly ingratiate them with Marcus Ranum, a pioneer in firewall and IDS technology, who is now chief of security for Tenable Security.

"[Ranum] believes vulnerability research is evil," says Ptacek, now principal of Matasano Security, which he co-founded in 2005.

But it wasn't until Ptacek unloaded what researchers call "the closer" -- publishing a remote root exploit in another vendor's security product -- that his relationship with Ranum officially went south.

"I found a buffer overflow vulnerability in his [Network Flight Recorder] IDS product and published it" in a Network Associates advisory, he says. "He did not like that."

Ptacek has been shaking users up since he first began his career. Like many of his contemporaries in security research, Ptacek chose to ride the mid-90's dotcom wave, rather than get a computer science degree after high school. His first hack was in 1996, when a 19-year-old Ptacek was called in by Seattle's King County Library system to track down the hacker who had hijacked and deleted a card catalog system to host a software piracy bulletin board.

"He [the attacker] didn't think anyone would notice this," Ptacek quips. "His hacker handle was on it, so I got on IRC looking for a person with this nickname. I said 'hey, I heard you have this really excellent software piracy bulletin board.' He gave me all the details, which I handed off to the [district attorney] and got him busted."

Ptacek, who had worked for the library as an intern before moving on to work for an ISP in Chicago, was lauded in the media as a hacker hero for cracking the library case. But he also had a little run-in of his own with law enforcement officials involved in the investigation.

"At one point, I got accused of colluding with him [the attacker], because it was taking 'too long' to get the paperwork," Ptacek recalls. "So I called my boss and went 'on strike' from the case, and he had them send me a formal letter of apology."

Ptacek later went to Secure Networks (eventually purchased by Network Associates), and then in 1999, dropped out of security altogether. Ptacek says he had hit a point that many researchers do -- when they decide security is a "big joke" and that no one's really taking it seriously.

"We had just done a big paper at Secure Networks on IDSes... We had broken all of the ones on the market and proved they don't work," he says. "We all come to a point where we don't like security [anymore]. I wanted to do something 'real, man.' "

He and David Meltzer, now CTO at nCircle, and Danny Dulai, now lead developer at Bloomberg LP, secured $10 million in venture capital funding for a chat/multicasting startup called Sonicity in San Francisco. But like other flash-in-the-pan '90s dotcoms, Sonicity eventually flamed out. It wasn't long before Ptacek headed back to security -- first to Arbor Networks, where he was the lead developer on Arbor's Peakflow DOS product, and then became a product marketing manager.

Five years later, he started Matasano Security with Jeremy Rauch. "We break software for vendors and enterprises. We find vulns in vendors' products before they ship, so people like us don't find them after they ship," he says. "And for enterprises, we go in and prove wrong the claims that vendors make about what security countermeasures are in their software."

Among Matasano's client list is Microsoft, which Ptacek says really "gets it" with its development of Vista. Matasano was one of the firms hired by Microsoft to try to break Vista.

And even with the drama of legal threats, IRC stakeouts, and watching the first buffer overflow bugs get exploited in the early days of the security industry, Ptacek says security is actually more fun now than it was back then. Plus, he still doesn't have a PR person at Matasano to keep him quiet: "We don't have a chaperone to stop us."

Personality Bytes

  • Bad day at the office: "I went to work right out of high school running network cables for businesses around Chicago. One day I fell through a drop ceiling and then later that same day got into a car accident. Or there was the time I resigned and gave two weeks' notice at a job, got escorted out of the building, and had to come in and work from my car in the parking lot for several days to finish a project. Also bad."

  • What Ptacek's colleagues don't know about him: "I can recite the lyrics to arbitrary songs from Phil Collins' 'No Jacket Required' from memory. Also, I never learned to read."

  • Biggest goof-up: "I helped crater a VC-funded streaming video startup in the late '90s, which I guess I should regret. In fact, I'll make it official: I regret not getting rich from my dot-com-bubble startup. But I also learned a lot."

  • Personal message to Joanna Rutkowska: "It would probably be this one ('Don't Worry, Be Happy' by Bobby McFerrin')."

  • After hours: "After work, I don a pair of black pajamas and work tirelessly through the night, righting wrongs and fighting injustices. In other words, I have a six-year-old daughter and an eight-year-old son."

  • Phobias: "The usual stuff. Spiders. Mimes. Drop ceilings."

  • Team: "The Cubs."

  • Comfort food: "There is a place in Chicago, 'Hot Dougs,' where you can get a basket of French fries fried in pure duck fat. I've only had them once, but I aspire to make them my official comfort food."

  • Hangout: "My living room... I'm old."

  • PC or Mac? "Both. Hooray for virtualization!"

  • Dog or cat? "Fish."

  • Wheels: "No comment. But if you want to find out, go to WHITEPAGES.COM. I live in Oak Park, Ill. You'll get my address, and, inexplicably, an estimate of my age. Take that information to PROGRESSIVE.COM, and get an insurance quote for me. After you give them my name and address, they will helpfully reveal to you the make and model of the cars that we own. Thanks, Progressive!"

  • What Ptacek would like to be most known for: "Discovering and hiring the high school kid who figures out how to break into computers by exploiting help file typos."

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Dark Reading December Tech Digest
    Experts weigh in on the pros and cons of end-user security training.
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-4807
    Published: 2014-11-22
    Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

    CVE-2014-6183
    Published: 2014-11-22
    IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

    CVE-2014-8626
    Published: 2014-11-22
    Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

    CVE-2014-8710
    Published: 2014-11-22
    The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

    CVE-2014-8711
    Published: 2014-11-22
    Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?