Tuesday, July 21, 2009

31337 Spotlight: "mckt"

In case you've been living under a rock, allow me to introduce to you another one of the not-known-well-enough Web App Security folks.... Known for his unforgettable pwnage of web sites like McAfee and others using CSRF (Cross-Site Request Forgeries) and brilliant XSS-based hack of "StrongWebMail"... "mckt" is always up to interesting things. Obviously that's not his real name, because in the daylight his ePassport says "Mike Bailey"... and his other one says Haywood Jafixit... so who knows. I count myself lucky enough to have a pretty good working relationship with this guy- so I know he's actually a human being, and not some twitter bot (long story, for another post)...

I caught up with Mike on Twitter (@mckt_) and managed to get him to answer some questions ...
  • mckt - tell us something about yourself
I'm Mike Bailey, and sometimes go by the handle "mckt." It doesn't mean anything, but it's short, hard to pronounce and fairly memorable. I'm a CISO, a geek, an artist, a musician, a foodie, a snowboarder, and a
lousy-but-enthusiastic surfer. I think pirates are cooler than ninjas. I like kung fu movies, punk rock, and motorcycle rides through the canyon. I live in Provo, Utah, which is a much cooler town than people give it credit for, though it definitely is different from the rest of the world.

I'm also a hacker, or "security researcher" if I'm trying to sound innocent. I like messing with things- finding out how they work, how they break, and how to make them work for me. Russ McRee calls me "a good guy, with an evil mind," and I've always liked that.
  • What types of technologies do you focus your 'hacking' on (and why)?
Mostly web-centric technologies. There's a few reasons for that. I've spent time as a web developer so I know how they think. It's a relatively unexplored field, and one that is growing (and changing) incredibly quickly. There's new technology popping up every day, and I get to help make it better. That all adds up to make an awful lot of excitement, which is neat.
  • What your most famous/proud accomplishment over the course of your career?
It's hard to pinpoint one event, but my proudest accomplishment is simply the progress that I've made with my current company. In just a few years, I convinced them they need to take security seriously, rewrote a huge chunk of policy, and vastly improved security education- particularly with the developers. They've still got a long way to go (who doesn't?), but I'm pretty happy about the progress made so far.

I've been involved in a few high-profile things lately- disclosing a CSRF hole in McAfee Secure, and the StrongWebMail hack. Both were fun, but the lesson learned from both is the same: web security is poorly understood, rarely considered, and critically serious stuff. It's not news to us, but it's something that a lot of non-security people need to realize. I'm about as cynical as you are about whether that will actually happen, but it's a good goal.
  • What got you started in Information Security...
The classic story: I got a job in tech support. I enjoyed it- the problem solving, techy stuff. It was a scene I hadn't been a part of for a while. I've always been geeky, having played with web design and some basic coding growing up, but hadn't put much thought into it for a few years. Once I started that job, I picked up a few programming books, set up Debian on some spare hardware, and started playing.

After doing that for a few weeks, I started taking apart some of the apps the company used. One Friday night, I found some problems with the authentication logic in one of the customers' tools- something that would allow me to dump the company's customer database, and it later turned out, access pretty much the entire CRM system. I was stunned, excited, and blown away that anybody could do something so... dumb.

I reported the issue the next Monday, got it fixed, and developed a keen interest in security. While I'd always known that things like that were possible, this was the first time I'd found a hole with such a huge impact, and the first time I realized how critical this stuff was. Within a few months, I moved to a development position (working on that same CRM app) and slowly transitioned to handling security full-time.
  • Tell us something that people rarely know about you?
I studied illustration in college. I was actually pretty good at it, but I broke my arm skateboarding and had to put school on hold while I paid medical bills. I still sketch a lot, but don't paint as much as I'd like. I'm actually thinking about putting together security-themed show- combining paintings with projections of the data leaking from the viewers' iphones, rfid chips, etc. It's something I'd like to get around to, but I don't see it happening anytime soon. Maybe if I talk about it here, I'll commit to it.
  • BONUS: What was your first computer system?

Honestly, I'm not sure, I'd have to check with my dad... it was probably just a generic beige box. I always had hardware around my house, just stuff to play with. My dad's company set up a bunch of EMS dispatch systems back in the day, and I'd go on business trips with him and teach all the cops how the systems worked- that was back when I was like 8 years old. I pretty much grew up playing with computers, never seriously, but I always considered it to be normal kids' stuff.

No comments: