Though DigiPen graduate Mikhail Davidov is now a Senior Security Researcher for one of the nation’s leading information security firms, Duo Security, he wasn’t always putting his ample skills as a hacker to noble use.
“I remember back in high school I took down the entire computer network during finals week on accident,” he laughs. “I was trying to spam this one computer, but instead of targeting that one I targeted the entire school’s domain.”
Even before he was a mischief-making teen, he’s had an enduring interest in what makes computers tick. The definition of “hacking” that he subscribes to—something more like high-level tinkering than cybercrime—would apply well to his childhood pastimes.
“I definitely grew up taking apart VCRs and messing around with computers,” he says. “I started off coding in Logo, which was this little tiny scripting environment where you could control a little triangle and make it draw shapes, in elementary school on an Apple Macintosh SE.”
From there, he kept going, learning increasingly advanced coding languages and eventually arriving at C, which was about when he ended up at DigiPen. In a recent Reddit AMA, he and his colleagues fielded the question, “How’d you get started in hacking and what drew you to it?” As with almost every one of his coworkers, Mikhail’s point of entry was video games.
I think the most valuable thing that DigiPen taught me is how to write extremely fast C++ and know what is actually going on underneath the hood.”
“As a kid I wanted to cheat at video games and crack software that I couldn’t afford, and everything just kind of snowballed from there,” he answered. Appropriately enough, his junior year game project at DigiPen was called Haxsys 2.0, an action-strategy game set inside “a 3D, virtual, computer world where the player must hack other computers for dominance.”
His interest in hacking would have likely led him into the information security (also known as InfoSec) industry no matter what, he notes, but he does credit DigiPen for helping put him at the skill level he’s currently at.
“One of the best things about the way that DigiPen does things is that they start at the lowest level possible,” he says. “They do it from the bottom up, as opposed to many other universities where they start you off with something super high level like Java. You learn about logic first and you kind of ignore the details. DigiPen does the complete inverse, where you start with the basics and build it all the way up.”
Mikhail actually started at DigiPen in the Bachelor of Science in Computer Engineering program before transferring to the Bachelor of Science in Computer Science in Real-Time Interactive Simulation (RTIS), which is more in line with what he does now.
“All my friends were over in RTIS,” he jokes, and he credits the RTIS program with allowing him to build some serious coding chops.
“I think the most valuable thing that DigiPen taught me is how to write extremely fast C++ and know what is actually going on underneath the hood,” he says. “It was definitely a trial by fire. The deep understanding of how compilers work, how to write fast code, how to know what’s going on underneath the hood—it fostered my drive to learn and understand more.”
And understand more he did. While at DigiPen, Mikhail stayed active in the local hacker community, attending local chapter meetings of hacker organization 2600 and hanging around Seattle’s HackerBot Labs. That eventually earned him the attention of Frank Heidt, the CEO of Seattle-based consultancy Leviathan Security who asked Mikhail to come work for him.
“Drop out of college and come work for me,” Mikhail remembers Heidt saying. He declined that offer, electing instead to finish his degree. After that, he interned at Microsoft, a job he says he thoroughly enjoyed. However, the resulting job offer wasn’t for the group he wanted, so he decided it was time to take Heidt up on his previous offer, which was still on the table. He stayed at Leviathan for six years, building his skills and earning himself a reputation in the InfoSec community.
“Basically if you bought a computer during that timeframe,” he says. “I either looked at hardware or software that you were using. We’d get hired on as a red team to come break into networks or evaluate products directly before they launched.”
I get to talk about what I do and actually publish my research. I love it.”
He also worked on a major security project for the Defense Advanced Research Projects Agency, aka DARPA. That project was called CINDER, which was short for “cyber insider threat.” It was primarily designed to prevent insider threats, but it also dealt with nefarious actors from outside the network. The program they developed was called Major Myer, and it performed analysis on crash artifacts, which are pieces of data that result from a crashed computer program.
“You know when an application crashes you get the little dialogue box?” Mikhail says. “Our solution was a little registry key that tells it, ‘Instead of sending that report to Microsoft, send it to our analysis server.’ And then we’re able to analyze that and be able to tell you whether or not this was a benign application malfunction or a failed exploitation attempt.” That program eventually became a major Leviathan product called Lotan.
“I built a lot of reverse-engineering chops working on that,” Mikhail says. “It was super, super fun to work on.”
As much fun as he had swashbuckling about the world of InfoSec at Leviathan, some major life changes led him over to Duo.
“I wanted to start a family and I needed something a little bit more stable,” he says. “Duo is a much larger, product-focused company. I joined on there to perform innovative research and be somewhat of a brand ambassador and kind of show that we have smart people and we can do cool things.”
One of those cool things is the cheekily-titled report “Dude You Got Dell’d: Publishing Your Privates,” which documents a major vulnerability built in to recently shipped Dell laptops. The laptops were shipped with a faulty security certificate that would have allowed malicious hackers on the same network to intercept a user’s data, as well as to send malicious software back their way in response to requests to download legitimate software or install automatic updates.
Dell obviously wasn’t thrilled with the report, but that’s kind of the point, says Mikhail. Though they go through proper responsible disclosure procedures for every project, the mission is ultimately, he says, “to be a catalyst for change within the information security space, because there are a lot of people doing things very, very wrong.”
The Dell report is one of many interesting projects Mikhail gets to tackle at Duo. One of the other notable ones was the launch of a high-altitude weather balloon into the upper reaches of the atmosphere to attempt “the first Push authentication from the boundary of space.” The balloon was equipped with a satellite phone, as well as a regular phone and a robotic fake finger to press “OK” when the phone received the two-factor authentication request. In that case, his job involved a trip to the Nevada desert to shoot things into space with his coworkers.
Needless to say, Mikhail is enjoying the new gig. It’s his first fully remote job—”I spend a lot of time on Slack!” he jokes—but he says DigiPen did a good job of teaching him the necessary time-management skills.
“How much time do I actually have to dedicate to this one thing before I need to pivot to something else?” he asks, rhetorically, noting that his current gig places similar demands on his time to the game projects he did back at DigiPen. “There’s always crunch.”
That, he says, just comes with the territory. But it hasn’t made him any less enthusiastic about InfoSec. And he’s especially happy about landing at Duo.
“I get to talk about what I do and actually publish my research,” he says. “I love it.”