A year ago today, I left the comfortable confines of an 18-year career in big-name Government contracting, and joined a very small security startup called Intrepidus Group.
It’s been an interesting year.
One major change — I’ve really stepped up my blogging. I’ve posted detailed analysis on issues ranging from the RSA breach (including a theoretical attack on their SecurID tokens) to the question of whether iPhones were tracking your location (I still say “no.”)
My research efforts have also expanded, resulting in two detailed white papers, the first describing a hack to build rainbow tables for UNIX crypt() passwords, and the second providing documentation for Apple’s iOS Mobile Device Management (MDM) protocol / API. Both those papers also included detailed code that people could use right away to further their own research.
This research also led to opportunities to speak at major information security conferences. In January, I spoke briefly to a huge crowd at ShmooCon on my rainbow table work as part of the closing panel, discussing passwords — past, present, and future. And just a few weeks ago, I headlined my own talk at Black Hat in Las Vegas, discussing the good, bad, and ugly of Apple’s iOS MDM system.
Speaking of iOS, I’ve even found a few interesting bugs, all related in one way or another to MDM. The biggest, of course, was a bit of an 0-day which I dropped during my Black Hat talk: Exploiting man-in-the-middle vulnerabilities in iOS MDM to accomplish an “Evil Maid” attack, and thus bypass secure passcodes on a locked iOS device. Full details are in the talk slides.
Speaking at two cons in a 6-month period was definitely a thrill, and I thank both ShmooCon and Black Hat for the chance to present my results to a broader audience. But speaking wasn’t the only thing I did for cons… Right when I joined Intrepidus, I learned that we’d signed up to rebuild the ShmooCon ticket sales system, and I jumped at the opportunity to tackle that challenge. We had some growing pains during the first round of sales (none of which were my fault, honest! the servers melted into a heap of slag long before my code was activated). In the end, Bruce and company fixed the server issues, and with the help of 3ric Johansen, I optimized my code significantly and the sales ended up going pretty well in the end.
Unfortunately, all that focus on ShmooCon meant that I negelected another project, Khan Fu. However, that’s beginning to spin back up again, and after supporting Black Hat, BSidesLV,and DEFCON, we’re ready to enhance and extend Khan Fu for next year’s con season.
I’ve also continued to have fun with crypto. I was first to solve the THOTCON 0x2 pre-sale puzzle, and also won the ShmooCon badge contest for the 3rd year running. I didn’t go to Toorcon or CarolinaCon, but was able to solve crypto contests for both of those at home, just for fun. Unfortunately, I also ran into my first major defeats: I was soundly beaten by Sak3bomb’s THOTCON 0x2 stego, and totally missed the incredibly obvious for Fidelis Security’s Black Hat challenge. (I blame that one on being pre-occupied by my talk. Yeah. That’s my story, and I’m sticking to it.)
All in all, though, it’s been a great year. I’ve learned a lot, I’ve done a lot, and I’ve worked with some incredibly smart and interesting people. I can’t wait to see what the next year brings!