Not many security researchers can say they were once threatened with legal action by firewall pioneer Marcus Ranum. But then again, not many researchers are anything like Thomas Ptacek.
Ptacek, 30, is well-known for shaking things up in the industry while having a little fun along the way. "We like to stir things up to get people to think... to argue with us," he says. "We learn stuff that way, too. It's when you get challenged that your [work] gets refined."
His uncanny way of bringing arcane technology topics -- such as virtualization-based rootkits -- into the mainstream makes him a popular (and sometimes controversial) talking head at security confabs, and in the blogosphere. Not everyone in the industry appreciates Ptacek's sense of humor or his in-your-face approach, however -- and he knows it.
He concedes that his very public dispute with researcher Joanna Rutkowska over virtualized rootkits at Black Hat last month didn't really build any bridges between his camp (virtualization-based rootkits are detectable) and Rutkowska's (her Blue Pill virtualization-based rootkit is not detectable). (See Hacker Smackdown, Tool Roots Out Virtualized Rootkits, and Blue Pill Gets a Refill.)
Ptacek's talk at Black Hat was called "Don't Tell Joanna -- The Virtualized Rootkit Is Dead," a takeoff on the early '90s cult movie "Don't Tell Mom the Babysitter's Dead." The title didn't exactly resonate with Rutkowska.
"I take responsibility for that... [if] the respect and lightheartedness didn't transfer," Ptacek says. "I'm a fan of Joanna's work. She does amazing stuff. I would like that to have been a little bit friendlier."
Still, Ptacek has no regrets about triggering the debate itself. Publicly challenging Rutkowska's claims about her Blue Pill research has better educated the industry about virtualization-based rootkits overall, he says.
But the rootkit debate wasn't Ptacek's first run-in with a big name in the security industry. In 1998, Ptacek and his former colleagues at what was then Network Associates (and before that, Secure Networks) were finding vulnerabilities in intrusion detection systems (IDS) -- research that didnt exactly ingratiate them with Marcus Ranum, a pioneer in firewall and IDS technology, who is now chief of security for Tenable Security.
"[Ranum] believes vulnerability research is evil," says Ptacek, now principal of Matasano Security, which he co-founded in 2005.
But it wasn't until Ptacek unloaded what researchers call "the closer" -- publishing a remote root exploit in another vendor's security product -- that his relationship with Ranum officially went south.
"I found a buffer overflow vulnerability in his [Network Flight Recorder] IDS product and published it" in a Network Associates advisory, he says. "He did not like that."
Ptacek has been shaking users up since he first began his career. Like many of his contemporaries in security research, Ptacek chose to ride the mid-90's dotcom wave, rather than get a computer science degree after high school. His first hack was in 1996, when a 19-year-old Ptacek was called in by Seattle's King County Library system to track down the hacker who had hijacked and deleted a card catalog system to host a software piracy bulletin board.
"He [the attacker] didn't think anyone would notice this," Ptacek quips. "His hacker handle was on it, so I got on IRC looking for a person with this nickname. I said 'hey, I heard you have this really excellent software piracy bulletin board.' He gave me all the details, which I handed off to the [district attorney] and got him busted."
Ptacek, who had worked for the library as an intern before moving on to work for an ISP in Chicago, was lauded in the media as a hacker hero for cracking the library case. But he also had a little run-in of his own with law enforcement officials involved in the investigation.
"At one point, I got accused of colluding with him [the attacker], because it was taking 'too long' to get the paperwork," Ptacek recalls. "So I called my boss and went 'on strike' from the case, and he had them send me a formal letter of apology."
Ptacek later went to Secure Networks (eventually purchased by Network Associates), and then in 1999, dropped out of security altogether. Ptacek says he had hit a point that many researchers do -- when they decide security is a "big joke" and that no one's really taking it seriously.
"We had just done a big paper at Secure Networks on IDSes... We had broken all of the ones on the market and proved they don't work," he says. "We all come to a point where we don't like security [anymore]. I wanted to do something 'real, man.' "
He and David Meltzer, now CTO at nCircle, and Danny Dulai, now lead developer at Bloomberg LP, secured $10 million in venture capital funding for a chat/multicasting startup called Sonicity in San Francisco. But like other flash-in-the-pan '90s dotcoms, Sonicity eventually flamed out. It wasn't long before Ptacek headed back to security -- first to Arbor Networks, where he was the lead developer on Arbor's Peakflow DOS product, and then became a product marketing manager.
Five years later, he started Matasano Security with Jeremy Rauch. "We break software for vendors and enterprises. We find vulns in vendors' products before they ship, so people like us don't find them after they ship," he says. "And for enterprises, we go in and prove wrong the claims that vendors make about what security countermeasures are in their software."
Among Matasano's client list is Microsoft, which Ptacek says really "gets it" with its development of Vista. Matasano was one of the firms hired by Microsoft to try to break Vista.
And even with the drama of legal threats, IRC stakeouts, and watching the first buffer overflow bugs get exploited in the early days of the security industry, Ptacek says security is actually more fun now than it was back then. Plus, he still doesn't have a PR person at Matasano to keep him quiet: "We don't have a chaperone to stop us."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.