Most of David Maynor's colleagues in the security research community are surprised when they learn that he's a Native American. The renowned security researcher best known for his controversial Macbook hack, is also a member of the small, North Carolina-based Lumbee tribe, which is currently seeking full status as a federally recognized Indian tribe.
"In Wikipedia, I'm one of the [notable] Lumbees," Maynor says. (You probably also didn't know Maynor shares his tribal roots with another notable Lumbee, Heather Locklear, who's listed among famous Lumbees.)
Maynor, 29, grew up in tiny Pembroke, N.C., a town that just got its first Wal-Mart and where most of the locals claim the coveted Lumbee bloodline. Like most of today's premier security researchers, Maynor didn't get a college degree, although he took classes at Georgia Tech. "In technology, there are more advancements in private industry than in universities. It's hard for academics to keep up" with the pace of security technology, he says, noting that most of what you learn in security, you learn on your own.
Maynor started hacking his parents' and sisters' phone calls at age 14, in what he calls the "lamest" of hacks that required literally cutting the handset plug to the base station of the phone, and attaching clips to lines on the phone cable, among other things. "You could listen to phone calls," he says. "That was 'beige-boxing.' "
Today he's kind of a jack-of-all-trades hacker who digs into Microsoft software bugs as well as wireless driver vulnerabilities, such as the one he and fellow researcher Jon Ellch demonstrated at Black Hat USA last August. "I like focusing on things than can be used to break into your computer or steal information or do bad things to you. If you think about the typical, motivated hacker-for-hire, he's not going to be [an expert in] wireless-only. The enemy is cross-disciplinary, and so should you be."
Maynor says he gets a kick out of how people romanticize security research. It's really not very sexy. [Ed. note: Now there's a shocker.] "If someone were to watch me working, they'd see me sitting for hours in front of my computer, dissembling [code]."
And it's not always the lone cowboy existence it's cracked up to be. It was Ellch, a.k.a. johnnycache, who taught him wireless packet injection, which got Maynor writing fuzzers and finding wireless bugs. Such tutoring and informal support is common among the security research community, he says, where he often vets new research ideas. "It's 'that's cool' or 'that's lame, you shouldn't do that,' " he says of the advice he and other researchers dispense.
Maynor spent just four months at SecureWorks Inc. , the company he was working for during the Apple controversy, before leaving to start up Errata Security with its CEO, Robert Graham, former chief scientist at IBM Internet Security Systems . Errata does research and provides vulnerability analysis services and professional consulting and architecture review services. Prior to joining SecureWorks, Maynor spent three years writing exploit code for ISS. (See Startup to Take Measure of Security and 10 Hot Security Startups.)
The Macbook hack at Black Hat last year made Maynor a household name in the security world -- and more like "mud" among Apple enthusiasts who refused to believe their platform had security weaknesses. And although Maynor says he's so over the Apple thing, he prefers not to talk much about it anymore, having finally gone public at the Black Hat D.C. briefings with some details of the hack and his communiqué with Apple (See Apple Flap Redux.)
Not all researchers were satisfied with his account -- some are still calling for him to release code to show the nitty-gritty details. Maynor says if he had it to do all over again, he wouldn't have been so careful to "protect" Apple users. "I would have dropped the exploit on stage," he says. "I wouldn't have taken such pains to protect their customers."
Ironically, he says he really isn't in favor of full disclosure, where hackers go public with bugs without letting the vendor weigh in with a fix first. "Responsible disclosure works both ways. If a vendor behaves badly, I won't work with them anymore, and then I'm on a full disclosure path. I don't like it, but what are you going to do?"
Still, he sees a major shift in the vulnerability research process underway: Hackers are getting gun-shy amid the threat of vendor lawsuits, and their financial motivation is waning -- it's only the bad guys who make the real bucks for bugs now, and there are few indie researchers left. Most have "real" jobs with security companies now.
"I don't think vulnerability discovery and disclosure is going to continue. There's going to be a huge shift... with information being closely guarded by vendors. Their researchers' findings will be considered trade secrets and will not be publicly disclosed. That will hurt security."
But look out -- Maynor has big plans for this year's Black Hat USA briefings in Las Vegas. "We're planning something bigger than that for Black Hat this year," he says. No details, but look for him and Robert Graham to expose holes in security vendors' claims. "We are mostly interested in how security vendors do stuff or how they don't do stuff [they claim]. That's the heart of our [upcoming] Black Hat presentation."
And no, Apple Inc. (Nasdaq: AAPL) won't be among the vendors they expose, he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading