Joshua J. Drake aka jduck
Welcome! My name is Josh. I go by "jduck" on the Internet.
👁 ❤ 🦀 🖥 💻 📱
Background
I am an autodidact that is insatiably curious about myriad computer and technology topics,
including; architectures, protocols, operating systems, firmware, reverse engineering,
vulnerability research, and secure development.
My first time on the internet involved an external 2400 baud dial-up modem.
Going all the way back to the BBS days, I showed a propensity for security research, aka "What happens when I do this?"
This innate skill has served me well throughout the years and provided quite an interesting career.
You can read more about my professional experience on LinkedIn.
Contact Details
If there is something you think I can help you with, feel free to reach out.
I am in the "don't ask to ask" camp, so feel free to PM away. If you see "jduck",
it's probably me. Once upon a time, I was on IRC, but not really anymore.
Published Works
When time permits, I will update my public works here... In the meantime, maybe you can discover them on your own 😊
Writing
Developed Tools
- IDA Pro / Hex Rays Superfluous Local Variable tool (iDefense, 2009)
Download: original source code
Functionality was later merged into IDA.
Public Speaking
- Upcoming: Developing Secure Software in 2024 / CanSecWest
- "Owning Enterprise Mail via Nth Party Software" at Toorcon 11, October 24th 2009.
Sean Larsson and Joshua J. Drake of VeriSign iDefense Labs
Sean and I presented our research into the Autonomy KeyView and Oracle
Outside-In document file format SDKs are embedded into
IBM Lotus Notes, Blackberry Enterprise Server, Symantec Messaging
Gateway, and Good Mobile Messaging. Using rudimentary dumb fuzzing, we were
able to discover several vulnerabilities and develop working remote code
execution exploits for them. While some issues required user
interaction (such as previewing an attachment), it's important to note that
the attack can be sent to many employees and only a small subset need interact.
Slides/Tools: toorcon2009-nth-party-software.zip
Video: not available
Additional links: Oracle Blog
Vulnerability Discoveries