Joshua J. Drake aka jduck
Welcome! My name is Josh. I go by "jduck" on the Internet.
👁 ❤ 🦀 🖥 💻 📱
Background
I am an autodidact that is insatiably curious about myriad computer and technology topics,
including; architectures, protocols, operating systems, firmware, reverse engineering,
vulnerability research, and secure development.
My first time on the internet involved an external 2400 baud dial-up modem.
Going all the way back to the BBS days, I showed a propensity for security research, aka "What happens when I do this?"
This innate skill has served me well throughout the years and provided quite an interesting career.
You can read more about my professional experience on LinkedIn.
Contact Details
If there is something you think I can help you with, feel free to reach out.
I am in the "don't ask to ask" camp, so feel free to PM away. If you see "jduck",
it's probably me. Once upon a time, I was on IRC, but not really anymore.
Published Works
When time permits, I will update my public works here... In the meantime, maybe you can discover them on your own 😊
Writing
Developed Tools
- lk-reducer (droidsec 2015-2023 by Jann Horn and Joshua J. Drake)
Source code: on Github
Named after it's use case, "Linux Kernel Reducer", uses Linux inotify to help eliminate clutter from a built source tree.
- File Dissect (iDefense 2009, Accuvant 2012-2014)
Source code: on GitHub
Fill Dissect is a custom hex viewer based on wxWidgets. It includes plug-ins such as original C++ implementations of PDF and Microsoft Office file formats.
- IDA Pro / Hex Rays Superfluous Local Variable tool (iDefense, 2009)
Download: original source code
Functionality was later merged into IDA.
Public Speaking
- Developing Secure Software in 2024 at CanSecWest. March 2024. Joshua J. Drake of Magnetite Security. (Abstract | Slides | Slide Src)
- Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game at DEF CON 24. August 2016. Joshua J. Drake of Zimperium and Steve Christey Coley of MITRE. (Slides on DCMS | Video)
- Stagefright: Scary Code in the Heart of Android at Black Hat USA and DEF CON 23, August 2015. Joshua J. Drake of Accuvant Labs / Zimperium (Wikipedia | Slides | BH Video | DEF CON Video)
- Owning Enterprise Mail via Nth Party Software at Toorcon 11, October 24th 2009.
Sean Larsson and Joshua J. Drake of VeriSign iDefense Labs
Sean and I presented our research into the Autonomy KeyView and Oracle
Outside-In document file format SDKs are embedded into
IBM Lotus Notes, Blackberry Enterprise Server, Symantec Messaging
Gateway, and Good Mobile Messaging. Using rudimentary dumb fuzzing, we were
able to discover several vulnerabilities and develop working remote code
execution exploits for them. While some issues required user
interaction (such as previewing an attachment), it's important to note that
the attack can be sent to many employees and only a small subset need interact.
Slides/Tools: toorcon2009-nth-party-software.zip
Video: not available
Additional links: Oracle Blog
Vulnerability Discoveries