This week on Reflection we have a very young guy from the webappsec field.
Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.
I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.
Anyone who has worked with Billy knows, he is one of the best security researchers in the world. Billy is among the first people I contact when I need to bounce an idea off someone, and the insight he brings to the table is always impressive. Based on my firsthand experience, it is incomplete to the degree of inaccuracy to simply say "he thinks outside the box". Billy destroys the box before your eyes while telling you what you need to keep in mind when building your next box.
We can say with confidence, that when what comes after "Web 2.0"/AJAX is created, Billy's work will be one of the factors driving design decisions.
I enjoy watching him repeatedly pop up in the press. I feel proud to have known him back when he was just an unknown college student getting sued for the first time.. :)
This has been an interesting week. It started with people who don't even know me questioning my moral fiber. They hadn't seen Jikto. They hadn't asked me what it did. Instead they based all their opinions solely off a news article. As in any situation, forming an opinion, let alone announcing your opinion on a blog when it's only based on knowledge from 1 or 2 sources is rather irresponsible.
However, I must say I laughed more than anything this week. How can you not when you see two people who have never even met you arguing on a public forum: "I think Billy really means this...." "No you're wrong, the larger point of Jikto is ..." I should say that only a handful of these colorful commentators ever stop to ask me anything.
All and all I think Jikto has been success. The demo went extremely well. The presentation was packed to standing room only. I gave a detailed description of the architecture, an exhaustive demo, showed proxy dumps of what was happening, and discussed improvements. I received lots of positive feedback and thanks from many important people, including high level people at Microsoft, Google, MITRE, DoD, IEEE, and Mozilla for disclosing what I had found. As with any good con, I left with more ideas than I arrived with, and hopefully the audience left with a better understanding of the dangers of XSS.