Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

5/15/2007
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Up Close With David Maynor

The hacker talks tribe, Macbooks, and surprises in store for next Black Hat

Most of David Maynor's colleagues in the security research community are surprised when they learn that he's a Native American. The renowned security researcher best known for his controversial Macbook hack, is also a member of the small, North Carolina-based Lumbee tribe, which is currently seeking full status as a federally recognized Indian tribe.

Figure 1:

"In Wikipedia, I'm one of the [notable] Lumbees," Maynor says. (You probably also didn't know Maynor shares his tribal roots with another notable Lumbee, Heather Locklear, who's listed among famous Lumbees.)

Maynor, 29, grew up in tiny Pembroke, N.C., a town that just got its first Wal-Mart and where most of the locals claim the coveted Lumbee bloodline. Like most of today's premier security researchers, Maynor didn't get a college degree, although he took classes at Georgia Tech. "In technology, there are more advancements in private industry than in universities. It's hard for academics to keep up" with the pace of security technology, he says, noting that most of what you learn in security, you learn on your own.

Maynor started hacking his parents' and sisters' phone calls at age 14, in what he calls the "lamest" of hacks that required literally cutting the handset plug to the base station of the phone, and attaching clips to lines on the phone cable, among other things. "You could listen to phone calls," he says. "That was 'beige-boxing.' "

Today he's kind of a jack-of-all-trades hacker who digs into Microsoft software bugs as well as wireless driver vulnerabilities, such as the one he and fellow researcher Jon Ellch demonstrated at Black Hat USA last August. "I like focusing on things than can be used to break into your computer or steal information or do bad things to you. If you think about the typical, motivated hacker-for-hire, he's not going to be [an expert in] wireless-only. The enemy is cross-disciplinary, and so should you be."

Maynor says he gets a kick out of how people romanticize security research. It's really not very sexy. [Ed. note: Now there's a shocker.] "If someone were to watch me working, they'd see me sitting for hours in front of my computer, dissembling [code]."

And it's not always the lone cowboy existence it's cracked up to be. It was Ellch, a.k.a. johnnycache, who taught him wireless packet injection, which got Maynor writing fuzzers and finding wireless bugs. Such tutoring and informal support is common among the security research community, he says, where he often vets new research ideas. "It's 'that's cool' or 'that's lame, you shouldn't do that,' " he says of the advice he and other researchers dispense.

Maynor spent just four months at SecureWorks Inc. , the company he was working for during the Apple controversy, before leaving to start up Errata Security with its CEO, Robert Graham, former chief scientist at IBM Internet Security Systems . Errata does research and provides vulnerability analysis services and professional consulting and architecture review services. Prior to joining SecureWorks, Maynor spent three years writing exploit code for ISS. (See Startup to Take Measure of Security and 10 Hot Security Startups.)

The Macbook hack at Black Hat last year made Maynor a household name in the security world -- and more like "mud" among Apple enthusiasts who refused to believe their platform had security weaknesses. And although Maynor says he's so over the Apple thing, he prefers not to talk much about it anymore, having finally gone public at the Black Hat D.C. briefings with some details of the hack and his communiqué with Apple (See Apple Flap Redux.)

Not all researchers were satisfied with his account -- some are still calling for him to release code to show the nitty-gritty details. Maynor says if he had it to do all over again, he wouldn't have been so careful to "protect" Apple users. "I would have dropped the exploit on stage," he says. "I wouldn't have taken such pains to protect their customers."

Ironically, he says he really isn't in favor of full disclosure, where hackers go public with bugs without letting the vendor weigh in with a fix first. "Responsible disclosure works both ways. If a vendor behaves badly, I won't work with them anymore, and then I'm on a full disclosure path. I don't like it, but what are you going to do?"

Still, he sees a major shift in the vulnerability research process underway: Hackers are getting gun-shy amid the threat of vendor lawsuits, and their financial motivation is waning -- it's only the bad guys who make the real bucks for bugs now, and there are few indie researchers left. Most have "real" jobs with security companies now.

"I don't think vulnerability discovery and disclosure is going to continue. There's going to be a huge shift... with information being closely guarded by vendors. Their researchers' findings will be considered trade secrets and will not be publicly disclosed. That will hurt security."

But look out -- Maynor has big plans for this year's Black Hat USA briefings in Las Vegas. "We're planning something bigger than that for Black Hat this year," he says. No details, but look for him and Robert Graham to expose holes in security vendors' claims. "We are mostly interested in how security vendors do stuff or how they don't do stuff [they claim]. That's the heart of our [upcoming] Black Hat presentation."

And no, Apple Inc. (Nasdaq: AAPL) won't be among the vendors they expose, he says.

Personality Bytes

  • Blue Hat?:"I have a close relationship with Microsoft. I can say 'here's a bug, fix it,' and they will."

  • Source of insomnia: "The biggest vulnerability in any company is the people. No matter what security technology you buy, or what processes you put in place, if a user is convinced to click on an [malicious] email, it's game over. You can't protect against that."

  • Favorite team: "Duke University basketball. Coach K for life."

  • On target: "I love long-distance [target] shooting. I used to hunt as a kid, and we'd eat what we killed. Nowadays I don't have time for it, plus we have McDonald's. I don't see the point of killing [an animal] for no reason."

  • After hours: "Movies and reading. But I don't do chick flicks."

  • Favorite hangout: "The Highlander. It's a dive bar in Atlanta near a movie theater. I've been going there for years. It's like my version of Cheers."

  • In Maynor's iPod: "Everything from Japanese Schoolgirls to Hank Williams Jr., and Rammstein... rap, country, and alternative."

  • PC or Mac? "Both -- I'm using a MacBook right now, but I use PCs, too. I usually carry two laptops, and use whatever gets the job done."

  • Comfort food: "Filet mignon."

  • Ride: "A bright orange Dodge Neon. Living in Atlanta, I get tired of cars getting scratched, stolen, glass broken, and stuff like that, so if... my Neon gets stolen or broken, I really don't care about it. It's disposable."

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-18198
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
    CVE-2019-18197
    PUBLISHED: 2019-10-18
    In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
    CVE-2019-4409
    PUBLISHED: 2019-10-18
    HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...
    CVE-2019-13545
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
    CVE-2019-13541
    PUBLISHED: 2019-10-18
    In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.