Archive for the ‘Navel Gazing’ Category

So… How Do I Manage It?

Dave G. | July 9th, 2008 | Filed Under: Feature, Matasano, Navel Gazing

“If we just get this hardware layer 7 firewall to market in 3 months we’ll be funded in 4 and we’ll be millionaires in 24 months tops!” — Thomas Ptacek, shortly before I give the two weeks notice that became 6 weeks at Symantec.

Matasano has been around for over three years now, and we are not millionaires. The company’s original goal was to create a new way for companies to solve the internal access control nightmare (that still persists, in spite of NAC). In 2005, our thought process was the typical startup blueprint: We have a great team, a great idea, lets go get some funding and build a product company.

I could probably write a series of blog posts on the VC process, but during both the due diligence process and our independent conversations with customers, we had a common question keep coming up. “This product {sounds great, sounds impossible, is the holy grail}. So… How do I manage it?

When a product doesn’t exist yet, it is really easy to talk about how you manage it. And since it was a common hurdle, we kept coming up with more and more clever answers to the problem. So, now we had a revolutionary new idea for the firewall, and we also had an incredibly sophisticated management interface. This would be great except we just kept evolving the product to the point where we would have needed a ton of funding to proceed. Also, we learned that we probably know more about the business that we want to build than anyone else.

So, after regrouping, we realized that the common thread in most of our conversations with potential customers was The Management Question. So, we went back to a lot of the folks we talked to and drilled down. We found that even now, in 2008, organizations are still struggling to manage what is arguably the most ubiquitous security product on your network. The firewall.

Yes, the problem of managing firewalls isn’t as fascinating as figuring out how to perform line speed, full decode of protocols and making stop/go decisions at 10Gbits. Instead, we are solving a real operations problem. The type of product where you don’t make everyone’s life more difficult when you deploy, but instead make everyone’s life better.

The obvious question is, “3 years… really?”.

“We have a team of kernel developers working on a web-app… two months, tops.”

This wasn’t three years spent dedicated to application development. The application was built in spare cycles. The fact of the matter is, while we were building this product, we were also building a consulting business.

We started the business based out of Jeremy’s apartment. This was great for me, as the commute was about 10 minutes (Jeremy lived one block further away from me than the old @stake office). Jeremy eventually moved, and we decided to move the office to my apartment. The commute got better, but running a business from your (or at least, my) home is a big quality of life hit for everyone involved. Just ask Dino and Jeremy, they worked on opposite sides of what used to be a dining room table, with Dino having to squeeze in between the air conditioner and the table with like 2 inches to spare. Mostly though, it is hard to feel like a real company when there isn’t an office. It is also hard to feel like a company when you are three people (after Dino and Window left us!). It is also really hard to feel like a company when a customer calls the business line at 10PM to leave a voicemail and gets me answering the phone with the television blaring in the background.

So, we got an office. Then Chicago got an office. Both of these offices were unbelievably humble. The first New York space had four people working inside of a 100 sq. ft. office. The Chicago office wasn’t much bigger. Also, water leaking from the ceiling. Also, it was above some weird print shop. But you know what. Also, it started to feel like a real company.

We also started hiring. Almost like Clockwork, we would get more work as soon as we hired someone (which, basically meant that we still had a gap). Also moving the real company dial.

“Corporate blogging is a total waste of time.” — Dave Goldsmith

At this point, we would cue the Montage:

Offices of the non-leaking variety for Chicago. Hiring amazing people. Holy crap, we have a benefits person. More great customers. Lots and lots of blog posts (almost one a workday since the inception of the company). Dedicated developer for Playbook. Bigger offices for New York and Chicago. 401k’s?! Crazier and crazier consulting projects. Which lead to blackhat talks. Which lead to even crazier projects. UI Designers cost how much? Horribly… horribly… awesome. Tom calling me to tell me that if we don’t do X in Y time frame the company will surely collapse. Jeremy looking at me like he is going to stab me in the neck if we don’t start hiring more people.

In spite of everything I just ranted about, services is and will continue to be a great business for us. Not only is the work exciting and ever-changing, we just wouldn’t get the same level of visibility into the real life challenges that modern enterprises face.

That being said, we started Matasano with the goal of selling security products. And as of July 2nd, 2008… we do.

ps: It would be absurd if I didn’t take a moment to thank Adam, Alex, Craig, Dan, Dino, Duncan, Eric, Erin, Kim, Max, Mike, Jeremy, Jess, Timur, Tom, Window, Wes, all of our customers, partners and trusted advisors.

Comment Bubble 8 Comments

CitySec Updates And Now More Ways To Stalk Us!

Dave G. | July 3rd, 2008 | Filed Under: Citysec, Matasano, NYSec, Navel Gazing

  1. STLSec. Shawn @ Agurasec yelled at me for not letting everyone know that St. Louis has an active CitySec meetup:
    The next STLSec is July 10 @ the Fox and Hound. Be there or be square.

We had a great crowd our second time out, about 15-20 folks, roughly the same as the first one, with a number of new faces. That’s VERY impressive considering that CITYSec groups in cities three times our size get less turnout than that… Cool, huh?

If you haven’t came out yet, please do. CitySec is what you make it, so drop by, have a few beers and help us all figure out why we’re all crazy enough to do this crap for a living. Plus, beer. I mentioned that, right?

Directions, as always, at http://www.stlsec.org

  1. NYSEC. The next NYSEC will be on July 15th.

  2. LinkedIn. STLSec, NYSEC and CHISEC all have LinkedIn groups.

  3. Twitter. Matasano has a corp. twitter account. How could you not want to see us have to communicate in 140 characters or less?!

Finally, if you are in the US, enjoy the long weekend. If you aren’t, enjoy the normal weekend.

Comment Bubble 3 Comments

WTF, OF COURSE WE DO WEB APP PEN TESTING

Dave G. | June 4th, 2008 | Filed Under: Matasano, Navel Gazing

It boggles my mind, but we get a fair amount of people asking us if we do web application penetration testing, or if we only do the “interesting stuff”. I think there are two reasons for this:

  1. The first is, our website just doesn’t explain what we do very well.
  2. Our blog focuses on the “interesting stuff”.

A dirty little Matasano secret is:

We not only do a lot of web app pen testing, but we actually like it.

I know, it’s crazy, isn’t it? People who can spend a day in a disassembler without bleeding from their eyes aren’t supposed to enjoy testing software as open as websites. But you know what? You have to be engaged to turn in a good penetration test, and if you can’t engage on a web app project, you might be in the wrong business. We like breaking software. The web is no different.

We’re lucky to get diverse projects, and what we find is, the skills you use on them cross-pollinate constantly. For instance:

  • Your software protection project involves lots of block crypto, which you take with you to bust up a web site that uses AES ECB tokens.
  • Or, in the reverse, web pen testing teaches you to think about how sessions are managed, which you take to a binary management protocol and score auth bypass with.

The fact is, there are security disciplines that web app developers have matured far more than shrink wrap or embedded developers like session management, single sign-on, and authorization systems and there are disciplines where the C coders are still the thought leaders, like crypto and software protection. If you ignore either, you fall behind.

So, to answer the question, one last time…

Yes, we do web application penetration testing. And we are horrifyingly good at it.

Comment Bubble 5 Comments

Reminiscences about Lua and Mosquito

Wes Brown | June 2nd, 2008 | Filed Under: Development, Navel Gazing

When Ephemeral Security first came up with the concept of the injectable virtual machine over coffee, we had an aggressive schedule to meet.  We needed a proof of concept prototype running within a month in order to meet the submission deadline for Defcon 13.

A perfect language for the task was a glimmer in our eyes, but we did not have the time to implement one.  So we profiled various lightweight environments, and Lua looked quite promising.  It was small, it was easily extensible, and it was portable across many architectures.

Ephemeral Security settled on LibTomCrypt as our cryptography library, as we considered it the gold standard for such software.  It was small, it was efficient, it was well-understood, and it was far easier to use than OpenSSL.  OpenSSL does indeed have cipher functions, but it is strongly oriented towards using them in the context of SSL transactions.  

The other major component was LuaSockets.  We judged that the combination of Lua, LuaSockets, and LibTomCrypt was enough for a proof of concept.  We made the deadline for Defcon submissions with an early prototype, and we had a later version ready for demonstration at the actual presentation.

We hated Lua.  It wasn’t Mosquito Lisp.  We found Lua to be inferior to a language that existed only in our heads at the time.  Although, when we needed a prototype that could hobble across the stage in a month, it was the fastest path from idea to novelty.  And it was also the slowest path from novelty to tool.

Lua seemed to make simple things complicated, and the misuse of tables for both arrays and objects made things harder than they should have been.  Lua also did not have solid and reliable primitives for I/O.  It was really awkward to work with.  From our perspective, it had a poor debugger, poor I/O, poor architecture, and a poor C API.  It was a good extension language, but it was difficult to extend.  Our cryptography code was solid, but affiliation could not be gotten to work reliably on top of LuaSockets.

But it did the job, and we had a very small environment suitable for second stage injection as a proof of concept.  It was a sickening irony that the projector that Defcon provided did not work with my Powerbook, and we had to borrow a laptop from the audience to do our presentation.  So we never did get to do a demo of the Lua-based MOSREF in at Defcon 13.

We learned several lessons from that particular adventure:

  • Always make sure the laptop works with the projector provided ahead of time
  • We needed an I/O oriented virtual machine and language
  • Concepts that are simple in idea can be devilishly complex when we get to details

The next year, we did much better with Mosquito Lisp, thanks to what we learned from using Lua.

For those of you curious about it, here are the presentation slides, and the source code

EDIT: ‘We’ adjusted to Ephemeral Security in reference to LibTomCrypt to clarify that is is not a statement or belief held by Matasano Security.

Comment Bubble 16 Comments

Howdy! A Self-Introduction by Wes Brown

Wes Brown | February 15th, 2008 | Filed Under: Matasano, Navel Gazing

I’m Wes Brown, and I’ve just joined the Matasano team and will be working on various clients’ projects as well as internal ones.

Ever since I was hired to rewrite a Fortune 10 corporation’s host security scanner from Bourne Shell into something more usable almost eight years ago, I’ve been involved in security more or less full time. I’ve worn many hats, including researcher, security consultant, and malware analyst.

I’ve presented in the past at security conferences under the banner of Ephemeral Security on the idea of injectable virtual machines. We had a reference implementation of Mosquito using Lua in 2006, and a more sophisticated one using our own Lisp-based virtual machine. While Ephemeral Security is on hiatus, the source code of Mosquito remains available at SourceForge. It’s a lightweight Lisp-based portable virtual machine written in ANSI C that has network and cryptography built in. One of my better presentations is up at Google Video.

I remain keenly interested in lightweight virtual machines as pertaining to security, and will be continuing to work on them with the team at Matasano. I am looking forward to writing about my investigations into malware, virtual machines, small and elegant programming languages, and security in general.

Comment Bubble 9 Comments

Help! I’m Somewhere Where I Don’t Know Where I Am!

Thomas Ptacek | December 9th, 2007 | Filed Under: Navel Gazing, Uncategorized

Holy crap.

Our last post was an entire month ago!

So, here’s what happened: we got slammed.

Let me sum it up for you: I am going to go out on a limb and predict that we’ll be posting screen shots of the product, in anticipation of its release, by the middle of January ‘08. We’d show it to you now, but then you’d get to draw an uncomfortable “before-and-after” conclusion about our design skills —- we’re waiting on a turn from our UI designers.

(January, oh-eight? What the hell is wrong with us? Oh, yeah, consulting. Worth it. But painful. I laughed at the guy who told me we’d have no problem shoving product out the door while keeping a full client workload; we were turning out more lines of code per day than my old employer! Turns out I forgot about a little thing called QA.)

Operating under the assumption that you don’t care about the machinations of Matasano, the company: here’s what happened with the blog:

Not posting became “a thing”. As in, “oh my god, it’s been three weeks since we posted!”. And I’m like, “I’ve got an awesome post queued up —- This Old Vulnerability: SSH CRC Compensator Attack!” And, so, it turns out: don’t do that. Obsessing over post quality delayed this post by at least two weeks, and you have this guy to blame.

And hence this insipid meandering post, because if I don’t write something, it could be 4 more weeks before you see us again.

Some things to expect in the next 2 weeks here:

And like 20 other things we’ve queued up in the meantime.

Thanks for your forebearance. Glad to be back.

Comment Bubble 6 Comments

We’re still alive…

Thomas Ptacek | October 12th, 2007 | Filed Under: Navel Gazing, Uncategorized

… but holy crap are we slammed.

We should be returning to our normal posting schedule early next week.

In the meantime, I’m driving down to Champaign-Urbana this evening to give a virtualization talk at ACM Reflections. Wish me luck!

Comment Bubble 1 Comment

Quit Your Job! Come Join Us!

Max Caceres | September 18th, 2007 | Filed Under: Matasano, Navel Gazing

Hello all, I’m Max Caceres, a new addition to the Matasano team and to this blog. Most recently I ran product management for Core Security, where I got the chance to lead crazy smart folks in the development of CORE IMPACT, a very successful commercial penetration testing product you may have heard about.

I’ve recently joined Matasano to help grow the product side of the house, and in that light I’m happy to inform that we are hiring! We are currently looking for a software developer to work full time on product dev. Just in case you are getting to this post from one of the ads we’ve published elsewhere, or because someone forwarded a link to you, here’s a quick run down of what we are about and what we are looking for.

We’re Matasano Security:

  • an established, profitable indie information security company, with

  • a significant presence in Chicago and NYC, and

  • founded by key players from top industry names.

You’re a software developer:

  • with mastery of one/more of Python, Ruby, Lisp, or C, and

  • mastery of Unix (Linux, BSD, or Solaris), and

  • strong web app skills, including

  • 1-3 years pro dev experience (preferred), and

  • familiarity with networking and security, and

  • enthusiastic about working on a Rails project.

We’re: taking our first product from alpha (now) to launch (soon) in the span of a few months. You: think this sounds like a great chance to work in a bootstrapped startup environment. We: should talk.

Check out this blog to learn more about about us. Or read this press hit for more on the product we’re talking about.

This is a 105% get-stuff-done climate: a full-time dev role on a small product team in a thriving consultancy, with no middle management, minimal politics, and a breakneck schedule.

We will be looking at filling more positions at Matasano pretty soon, please drop us a line at careers@matasano.com if you are interested in joining us.

Comment Bubble 4 Comments

My Blackhat Experience

Dave G. | August 14th, 2007 | Filed Under: Gatherings, Industry Punditry, Navel Gazing

First of all, I loved blackhat this year. I know it was quiet and relatively drama free compared to previous years, but it was just good to see a lot of old friends. For us, Blackhat was crazy busy. We had 3 talks and 1 panel. Plus we had a panel at DEFCON as well (making it the first DEFCON I had been to in many years).

THE TALKS

For those of you that haven’t spoken at Blackhat, it is a process by which things invariably go wrong and you find yourself pulling out your hair. I think it is a combination of busy season for our business, plus having to write talks, plus travel logistics, plus having to rewrite talks at the last minute just makes things super stressful. And, oh yeah, your business doesn’t disappear just because you go to Vegas.

Eric Monti spoke about DLP systems along with Thomas Ptacek. The research was awesome, and we are definitely not done talking about that space.

Tom spoke along with Nate Lawson and Pete Ferrie on Virtualized Rootkits. The hub bub was covered by the press, in articles like this one.

Jeremy and I spoke about FIX and how to assess FIX based applications. That talk was a lot of fun to build and deliver. We have been doing a lot of work in that arena, and it was great to get up on stage and talk about it. It was a shame we only had 20 minutes to give the talk. I expected this talk to be more contentious, but there was a lot of nodding in the crowd.

THE PANEL

This year I was asked to do the sisphean Vulnerability Disclosure and Ethics panel, moderated by David Mortman and Paul Proctor. The panel included Rob Graham/Errata, Window Snyder/Mozilla, Jon Stewart/Cisco, Ian Robertson/RIM, Steve Lipner/Microsoft and myself. These were the parts of the panel I enjoyed:

  1. When asked the dreaded “Would you hire a hacker?”, neither Lipner nor Stewart touted a party line like “We don’t hire hackers! EVIL!”. Instead they spoke about how they hire people, and gave a war story or two.

  2. Someone asked Window how Mozilla balance profit motive against developing secure software. Ok, they asked all the other vendors that too, but it was still funny to see someone ask a non-profit the corporate greed question.

  3. The discussion on ethics around zero day signatures ala TippingPoint. I wrote about the risks of this in 2005. Maynor and Graham proved that this something we need to be thinking about.

  4. The discussion of vulnerability markets came up, and should researchers get paid for finding and reporting vulnerabilities to vendors. I wish we had more time to talk about this.

  5. I got to do this panel twice. In and of itself, this wasn’t that interesting. But doing it once at DEFCON and once a Blackhat reminded me about how different the views were between the two conferences attendees. On a related note, I’m old.

  6. My dislike of panels is only surpassed by my desire to talk.

The biggest problems with this panel are:

  1. Agreement. We all agreed way too much. Need differing opinions or at least devil’s advocate.

  2. Committing to Something It is difficult for people to really take a stand on any topic. It is hard to say something meaningful when you can’t necessarilt speak for your organization on every topic.

These, by the way, are challenges for every panel on Earth.

THE PWNIES

Finally, the Pwnies happened this year, for which I was really excited about. It came together last minute, but was a lot of fun. Mad props to Alex S., Dave A., HD Moore, and Dino Dai Zovi for not only being some of the most talented folks in computer security, but also the funniest. Also, to Jeff Moss for giving the Pwnie awards a home. It got a shocking amount of coverage.

Comment Bubble 9 Comments

Where-o-Where-o-Where-Is-Thomas-Ptacek?

Thomas Ptacek | April 18th, 2007 | Filed Under: Navel Gazing, Uncategorized

It’s only a matter of days before my son and daughter start asking the same question. The answer: finishing up Matasano’s first product (!), and working with the team on some upcoming announcements. Exciting stuff! Can’t sleep! Clown’ll eat me!

In the meantime, you can listen to me on Rich Mogull’s Gartner podcast about the value of vulnerability research to enterprises. If you don’t relish the idea of hearing 11 minutes of my nasal, cell-phone-attenuated voice in its full 96bps 22khz glory, here’s what we talked about:

  • That vendors who ship products would be way better off getting those products assessed before they ship them, rather than assessed by their customers or competitors in the field. Motherhood, meet Apple Pie.

  • That regardless of the ego-tripping that IDA Pro, BinNavi, and firewire/PCI kernel debugging promote (mea maxima culpa), web applications are the future of development and web app security is the future of security.

  • That for God’s sake if you’ve got your own web apps you need to get them tested; it’s a phone call and a 2-3 week mostly-unattended service engagement to get a third party to do that for you.

  • That nobody coming out of school is automatically an expert in secure coding; CMU and UCDavis are great, but unitialized variable attacks came from some guy in Europe at some talk in Canada, not from a course curriculum.

  • That whatever you spend now on unproven intrusion prevention and antivirus, you should be spending N times more on cultivating an internal vulnerability research team.

No surprises.

I O U 3 more DNS security posts, 2 more Python debugging and runtime code generation posts, and like, 48748974 other things I’ve got queued up, and promise to get them out soon. Thanks for staying tuned!

Comment Bubble 1 Comment

Who We Are

Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.