Aperture Podcast: Katie Moussouris
By Michael Mimoso | April 29, 2021
Katie Moussouris joins the Aperture Podcast for a wide-ranging discussion of her work pioneering vulnerability disclosure programs, bug bounties, and crucial standards work.
Moussouris, CEO of Luta Security, also talks about the recent tragic death of one of her contemporaries, Dan Kaminsky. Kaminsky died April 23 at age 42, from complications from an illness. In the days since his death, the security community has shared stories of not only Kaminsky’s ground-breaking work in internet security, but also of his friendship, compassion, and empathy for others in need.
Kaminsky’s professional legacy will likely be the 2008 DNS vulnerability he uncovered. The vulnerability could allow attackers to carry out cache-poisoning attacks against DNS nameservers, and redirect traffic anywhere. Other attacks such as email hijacking, authentication bypass attacks, and more were also enabled by this bug. The real story of this vulnerability, however, was not only in its severity, but of the industry coordination behind patching the bug at scale.
Moussouris explains how Kaminsky’s disclosure fostered today’s standard of coordinated disclosure. Kaminsky enlisted Moussouris and Microsoft to host a private meeting where details about the bug would be shared to the largest IT vendors in the world, and patching plans could be mapped out. Microsoft, at the time, was the largest desktop OS vendor and for one of the first times had to be part of a larger coordinated disclosure effort, rather than fixing bugs in its own product.
“This was something that required complexity to execute. Dan put the Bat Signal up for the right people to show up,” Moussouris said, adding that Microsoft’s “gravitas” was essential in getting the right people to the table. “That was something where Microsoft had to consider its position relative to others in the world. And the idea of doing disclosures in stages, that was really being felt out at scale for the first time with that bug.”
Kaminsky’s personal legacy was also remembered fondly in a New York Times article published on Tuesday, where some of the work he did out of the public spotlight was highlighted. Those projects included an app helping colorblind people, and telemedicine tools he built for the National Institutes of Health and AMPATH, the Times said.
“He was one of a kind. And I think we’re going to continue to find people who have been touched by him directly or research that he set in motion throughout his career, certainly through the end of our lifetimes and beyond,” Moussouris said.
Throughout the conversation, you also hear more about:
- Moussouris’ advocacy for gender and economic equity, and the establishment of a litigation clinic at Penn State in honor of her late mother
- Vulnerabilities she recently discovered in Clubhouse, an audio-only social networking app
- The current state of vulnerability disclosure programs inside governments and enterprises worldwide