Archive for the ‘Matasano’ Category

So… How Do I Manage It?

Dave G. | July 9th, 2008 | Filed Under: Feature, Matasano, Navel Gazing

“If we just get this hardware layer 7 firewall to market in 3 months we’ll be funded in 4 and we’ll be millionaires in 24 months tops!” — Thomas Ptacek, shortly before I give the two weeks notice that became 6 weeks at Symantec.

Matasano has been around for over three years now, and we are not millionaires. The company’s original goal was to create a new way for companies to solve the internal access control nightmare (that still persists, in spite of NAC). In 2005, our thought process was the typical startup blueprint: We have a great team, a great idea, lets go get some funding and build a product company.

I could probably write a series of blog posts on the VC process, but during both the due diligence process and our independent conversations with customers, we had a common question keep coming up. “This product {sounds great, sounds impossible, is the holy grail}. So… How do I manage it?

When a product doesn’t exist yet, it is really easy to talk about how you manage it. And since it was a common hurdle, we kept coming up with more and more clever answers to the problem. So, now we had a revolutionary new idea for the firewall, and we also had an incredibly sophisticated management interface. This would be great except we just kept evolving the product to the point where we would have needed a ton of funding to proceed. Also, we learned that we probably know more about the business that we want to build than anyone else.

So, after regrouping, we realized that the common thread in most of our conversations with potential customers was The Management Question. So, we went back to a lot of the folks we talked to and drilled down. We found that even now, in 2008, organizations are still struggling to manage what is arguably the most ubiquitous security product on your network. The firewall.

Yes, the problem of managing firewalls isn’t as fascinating as figuring out how to perform line speed, full decode of protocols and making stop/go decisions at 10Gbits. Instead, we are solving a real operations problem. The type of product where you don’t make everyone’s life more difficult when you deploy, but instead make everyone’s life better.

The obvious question is, “3 years… really?”.

“We have a team of kernel developers working on a web-app… two months, tops.”

This wasn’t three years spent dedicated to application development. The application was built in spare cycles. The fact of the matter is, while we were building this product, we were also building a consulting business.

We started the business based out of Jeremy’s apartment. This was great for me, as the commute was about 10 minutes (Jeremy lived one block further away from me than the old @stake office). Jeremy eventually moved, and we decided to move the office to my apartment. The commute got better, but running a business from your (or at least, my) home is a big quality of life hit for everyone involved. Just ask Dino and Jeremy, they worked on opposite sides of what used to be a dining room table, with Dino having to squeeze in between the air conditioner and the table with like 2 inches to spare. Mostly though, it is hard to feel like a real company when there isn’t an office. It is also hard to feel like a company when you are three people (after Dino and Window left us!). It is also really hard to feel like a company when a customer calls the business line at 10PM to leave a voicemail and gets me answering the phone with the television blaring in the background.

So, we got an office. Then Chicago got an office. Both of these offices were unbelievably humble. The first New York space had four people working inside of a 100 sq. ft. office. The Chicago office wasn’t much bigger. Also, water leaking from the ceiling. Also, it was above some weird print shop. But you know what. Also, it started to feel like a real company.

We also started hiring. Almost like Clockwork, we would get more work as soon as we hired someone (which, basically meant that we still had a gap). Also moving the real company dial.

“Corporate blogging is a total waste of time.” — Dave Goldsmith

At this point, we would cue the Montage:

Offices of the non-leaking variety for Chicago. Hiring amazing people. Holy crap, we have a benefits person. More great customers. Lots and lots of blog posts (almost one a workday since the inception of the company). Dedicated developer for Playbook. Bigger offices for New York and Chicago. 401k’s?! Crazier and crazier consulting projects. Which lead to blackhat talks. Which lead to even crazier projects. UI Designers cost how much? Horribly… horribly… awesome. Tom calling me to tell me that if we don’t do X in Y time frame the company will surely collapse. Jeremy looking at me like he is going to stab me in the neck if we don’t start hiring more people.

In spite of everything I just ranted about, services is and will continue to be a great business for us. Not only is the work exciting and ever-changing, we just wouldn’t get the same level of visibility into the real life challenges that modern enterprises face.

That being said, we started Matasano with the goal of selling security products. And as of July 2nd, 2008… we do.

ps: It would be absurd if I didn’t take a moment to thank Adam, Alex, Craig, Dan, Dino, Duncan, Eric, Erin, Kim, Max, Mike, Jeremy, Jess, Timur, Tom, Window, Wes, all of our customers, partners and trusted advisors.

Comment Bubble 8 Comments

CitySec Updates And Now More Ways To Stalk Us!

Dave G. | July 3rd, 2008 | Filed Under: Citysec, Matasano, NYSec, Navel Gazing

  1. STLSec. Shawn @ Agurasec yelled at me for not letting everyone know that St. Louis has an active CitySec meetup:
    The next STLSec is July 10 @ the Fox and Hound. Be there or be square.

We had a great crowd our second time out, about 15-20 folks, roughly the same as the first one, with a number of new faces. That’s VERY impressive considering that CITYSec groups in cities three times our size get less turnout than that… Cool, huh?

If you haven’t came out yet, please do. CitySec is what you make it, so drop by, have a few beers and help us all figure out why we’re all crazy enough to do this crap for a living. Plus, beer. I mentioned that, right?

Directions, as always, at http://www.stlsec.org

  1. NYSEC. The next NYSEC will be on July 15th.

  2. LinkedIn. STLSec, NYSEC and CHISEC all have LinkedIn groups.

  3. Twitter. Matasano has a corp. twitter account. How could you not want to see us have to communicate in 140 characters or less?!

Finally, if you are in the US, enjoy the long weekend. If you aren’t, enjoy the normal weekend.

Comment Bubble 3 Comments

Matasano’s Playbook: Available Now!

Max Caceres | July 2nd, 2008 | Filed Under: Matasano

We are very pleased to announce the availability of Matasano’s Playbook!

What is Playbook?
Playbook is a web-based command center for network firewalls. From a single console, Playbook allows firewalls teams to search firewall rulesets, design access rules with full change tracking, and push them out to one, ten or one hundred devices with a single click.

Playbook helps organizations with multiple network firewalls to better manage their policies by providing a centralized and version controlled repository of rulesets, which can be easily browsed or searched via the web. Network operators can review all recent rule changes affecting the London branch, document a recently provisioned firewall at corporate offices, and rollback to the last known version of rules for the North-East group after an update gone wrong with only a couple of clicks and without having to log into 50 different devices. 

Playbook takes advantage of an expressive wiki engine to help you document rulesets, protocols, and your network infrastructure, so that you not only have a complete audit trail of all your changes, but you also know why those changes are there in the first place.

There is more information at the product’s official website. We’ll keep you posted as Playbook continues to evolve.

If you currently manage multiple firewalls and are are interested in learning more about Playbook we’d love to talk with you. Shoot us an e-mail or give us a call at 1-888-677-0666 x7529 (PLAY).

Comment Bubble 20 Comments

The Web Pest Poet

Thomas Ptacek | June 24th, 2008 | Filed Under: Matasano

[Update 5:30] —- And we are again CLOSED. [Update 4:00] —- Oh FINE. Twenty more. But you have to be EXTRA witty. [Update 3:50] —- AND WE’RE CLOSED! Your pithy comments are still appreciated, though.

Here’s one of the cool things about being an indie company: sometimes someone has a cool idea, and we can get it out the door in under 2 weeks.

By way of example, I present to you Erin’s webpest poetry:

Yup. It’s a perforated sheet of refrigerator magnets with exploit words on them. Here’s a gestalt view:

Now you too can write exploits on your whiteboard or fridge. Suitable for mixing and matching with other magnets —- I highly recommend the Shakespeare set; “http:// vouchsafe .af.mil / methinks / WEB-INF” indeed, sir! Includes a handy note-taking surface with our handsome new logo, and a hard-to-read but nice-looking hex chart.

What would you expect to pay for such a stunning value? $9.95? $19.95? $42,949,672.95 (wait, I think that means we wind up paying you). How about free, to the first 2040 commenters on this post. Try to say something witty, though.

(Don’t worry about your address though, we’ll get back to you for it).

My copy of Skiena is not included.

Did we mention that ChiSec is tomorrow? If you’re coming out to it, don’t worry about commenting here. We’ll have some in tow.

Comment Bubble 70 Comments

WTF, OF COURSE WE DO WEB APP PEN TESTING

Dave G. | June 4th, 2008 | Filed Under: Matasano, Navel Gazing

It boggles my mind, but we get a fair amount of people asking us if we do web application penetration testing, or if we only do the “interesting stuff”. I think there are two reasons for this:

  1. The first is, our website just doesn’t explain what we do very well.
  2. Our blog focuses on the “interesting stuff”.

A dirty little Matasano secret is:

We not only do a lot of web app pen testing, but we actually like it.

I know, it’s crazy, isn’t it? People who can spend a day in a disassembler without bleeding from their eyes aren’t supposed to enjoy testing software as open as websites. But you know what? You have to be engaged to turn in a good penetration test, and if you can’t engage on a web app project, you might be in the wrong business. We like breaking software. The web is no different.

We’re lucky to get diverse projects, and what we find is, the skills you use on them cross-pollinate constantly. For instance:

  • Your software protection project involves lots of block crypto, which you take with you to bust up a web site that uses AES ECB tokens.
  • Or, in the reverse, web pen testing teaches you to think about how sessions are managed, which you take to a binary management protocol and score auth bypass with.

The fact is, there are security disciplines that web app developers have matured far more than shrink wrap or embedded developers like session management, single sign-on, and authorization systems and there are disciplines where the C coders are still the thought leaders, like crypto and software protection. If you ignore either, you fall behind.

So, to answer the question, one last time…

Yes, we do web application penetration testing. And we are horrifyingly good at it.

Comment Bubble 5 Comments

Of course you’d rather intern with Matasano!

Thomas Ptacek | April 24th, 2008 | Filed Under: Matasano

Are you a student looking for some experience in the information security field?

Why, yes!

Consider an internship with Matasano, in Chicago or New York. This is a paid position.

Sounds interesting. I’ve interned for security companies in the past, and got experience making copies of TPS reports, delivering mail, and even providing back massages to senior partners. What can I expect from you?

At Matasano, you can expect to do those things too. But you can also expect to:

  • Learn or hone reverse engineering skills

  • Research vulnerabilities in high-profile software

  • Find zero-day vulnerabilities and never talk about them!

  • Write reversing and security testing tools in fun languages like Ruby or ok wait just Ruby.

Not sold yet?

No.

Consider some of the projects our interns have worked on: web applications your mother has heard of, plus many that she hasn’t! Hardware and RTOS systems built for CPUs that are documented only in secret binutils distributions from India! Popular cryptosystems deployed throughout the Fortune 500!

What’s an RTOS?

Exactly! Consider whether you’re going to learn more with us than at any other internship:

  • You’ll do vulnerability research work almost exclusively.

  • You’ll likely get a diverse set of targets, from Win32 to custom embedded platforms.

  • You’ll have opportunities to work at a very low level (for instance, firmware and chipsets) and at very high levels (for instance, AJAX toolkits).

  • You’ll get a chance to develop and promote new security tools and techniques.

But I don’t know how to do most of this stuff, Thomas.

Can you code?

Sure, in Python.

Are you… interested in any of that RTOS-y, firmware-y, crypto-y security stuff?

I might be if you’d tell me what it is.

Excellent! You’ll fit right in. Here are our requirements:

  • Strong computer programming skills, in any language. You don’t need to be an expert C programmer, but be forewarned, you may be one by the time you leave.

  • Enrollment in a computer science curriculum.

  • Strong written English skills.

  • Ability to work consistent on-site core hours in either Chicago (we’re in the Loop) or Manhattan (we’re downtown).

Do you have any more details?

I do!

  • This is a salaried position.

  • Interships run between 10-12 weeks.

  • Office space and computers (we’re a Mac shop) provided.

How do I apply?

Email us at careers@matasano.com.

Comment Bubble 23 Comments

Howdy! A Self-Introduction by Wes Brown

Wes Brown | February 15th, 2008 | Filed Under: Matasano, Navel Gazing

I’m Wes Brown, and I’ve just joined the Matasano team and will be working on various clients’ projects as well as internal ones.

Ever since I was hired to rewrite a Fortune 10 corporation’s host security scanner from Bourne Shell into something more usable almost eight years ago, I’ve been involved in security more or less full time. I’ve worn many hats, including researcher, security consultant, and malware analyst.

I’ve presented in the past at security conferences under the banner of Ephemeral Security on the idea of injectable virtual machines. We had a reference implementation of Mosquito using Lua in 2006, and a more sophisticated one using our own Lisp-based virtual machine. While Ephemeral Security is on hiatus, the source code of Mosquito remains available at SourceForge. It’s a lightweight Lisp-based portable virtual machine written in ANSI C that has network and cryptography built in. One of my better presentations is up at Google Video.

I remain keenly interested in lightweight virtual machines as pertaining to security, and will be continuing to work on them with the team at Matasano. I am looking forward to writing about my investigations into malware, virtual machines, small and elegant programming languages, and security in general.

Comment Bubble 9 Comments

Quit Your Job! Come Join Us!

Max Caceres | September 18th, 2007 | Filed Under: Matasano, Navel Gazing

Hello all, I’m Max Caceres, a new addition to the Matasano team and to this blog. Most recently I ran product management for Core Security, where I got the chance to lead crazy smart folks in the development of CORE IMPACT, a very successful commercial penetration testing product you may have heard about.

I’ve recently joined Matasano to help grow the product side of the house, and in that light I’m happy to inform that we are hiring! We are currently looking for a software developer to work full time on product dev. Just in case you are getting to this post from one of the ads we’ve published elsewhere, or because someone forwarded a link to you, here’s a quick run down of what we are about and what we are looking for.

We’re Matasano Security:

  • an established, profitable indie information security company, with

  • a significant presence in Chicago and NYC, and

  • founded by key players from top industry names.

You’re a software developer:

  • with mastery of one/more of Python, Ruby, Lisp, or C, and

  • mastery of Unix (Linux, BSD, or Solaris), and

  • strong web app skills, including

  • 1-3 years pro dev experience (preferred), and

  • familiarity with networking and security, and

  • enthusiastic about working on a Rails project.

We’re: taking our first product from alpha (now) to launch (soon) in the span of a few months. You: think this sounds like a great chance to work in a bootstrapped startup environment. We: should talk.

Check out this blog to learn more about about us. Or read this press hit for more on the product we’re talking about.

This is a 105% get-stuff-done climate: a full-time dev role on a small product team in a thriving consultancy, with no middle management, minimal politics, and a breakneck schedule.

We will be looking at filling more positions at Matasano pretty soon, please drop us a line at careers@matasano.com if you are interested in joining us.

Comment Bubble 4 Comments

Slides From VT-x Rootkit Detection Talk

Thomas Ptacek | August 7th, 2007 | Filed Under: Defenses, Matasano, Uncategorized

There will be more to come, but for those of you interested, or who missed the talk, here's our slides from the rootkit talk, showing how we can detect unexpected virtualization to ferret out all known virtualized rootkits on any mainstream operating system.

Comment Bubble 10 Comments

Matasano On The Road!

Dave G. | May 25th, 2007 | Filed Under: Gatherings, Matasano

Just wanted to let everyone know that Tom and I are going to be travelling to Washington DC for the Gartner IT Security Summit. Tom is on the Security Vulnerability Researcher Panel. We will be there on June 4th and 5th, so if anyone is interested in meeting up with us, please email me (daveg@).

Additionally, we will be in Boston from the 6th - 8th, so if you are in beantown, let me know as well.

Comment Bubble 1 Comment

Who We Are

Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.