Evolution Of Security: Interview With Pwnie Express CEO Dave Porcello


We recently got the opportunity to spend some hands on time with the Pwnie Express Pwn Plug, the product that has had everyone talking since February’s RSA Conference. We came away from the experience with the strong sense that devices like this are the future of security, for the good guys and the bad.

For not much more than the cost of a modern smartphone, you can get a fully functional Linux penetration testing computer in an innocent white box that will blend in perfectly under a desk or in a wiring closet. Plug it in, walk away, and it will send you a text message when it’s broken through the network’s firewall and has a clear line out. What sounds like a scene out of “Hackers” is now available for anyone with a few hundred bucks to spare.

CEO of Pwnie Express, Dave Porcello, was able to answer a few of our questions regarding his company, the Pwn Plug, and where he sees the technology going in the near future.

Pwnie Express

The Powerbase: Dave, thanks for taking the time to answer a few questions for us. To start, can you introduce yourself to our readers?

Dave: Sure! I’m Dave Porcello, founder of Pwnie Express and an insatiable geek since age 6. Over the years I’ve built arcade machines, small-form-factor computers (one of which resides inside an original NES case), light-controlled MIDI theremins, mock turntables and electronic sound boards, custom home security systems with fingerprint readers, motion sensors, and user-selectable sound effects, and network anomaly detection systems. The Pwn Plug started off as just another side project that hit the cyber security industry at just the right time.

The Powerbase: Pwnie Express is still a young company, founded only a few years ago in March of 2009. What has the experience been like for you starting and developing a small company in a market as competitive as IT security?

Dave: At first we were trying to do security services, and indeed that is an extremely competitive market right now. So I scrapped the services approach and decided to start smaller and focus on a niche market: bleeding edge gear for pentesters. While the pentesting “drop box” is not a new idea (some background here), it blew me away that as of 2010 there was still no off-the-shelf equivalent for the commercial market. Hackers have been building their own drop boxes since the 90’s, and it seemed the commercial sector could greatly benefit from a plug-and-play, remotely-accessible security testing product as well. Of course I had no idea how huge this would become. I was still working as a security engineer at an insurance company until June of 2011, when it became clear that I needed to drop my day job and focus on this full time.

With Pwnie Express we were able to enter the industry a bit “backwards”. Many high-tech startups take the traditional approach of raising capital and building out a team focused on releasing a new solution within 2-3 years. This approach does seem to work in many cases, but I also see it as very risky. You’re assuming by the time your solution is ready it will still be relevant, customers will want it, and no other competitors will beat you to it, and those are some hefty assumptions in the IT security world.

The Powerbase: The Pwn Plug and the Pwn Phone both represent some considerably out of the box thinking, but also have a strong common theme: mobility. Do you believe ultra mobile devices like these are the future of security, both defensively and offensively?

Dave: Absolutely. In my mind mobility is the clear future of all tech, not just security products.

The Powerbase: For such a new market, it’s already getting pretty crowded. With products like the WiFi Pineapple, and even “homebrew” alternatives like the MiniPwner, it seems like competition is already heating up. Do you consider devices like these direct competitors to the Pwn Plug? Is there enough room in this market for everyone?

Dave: We’ve been supporters of Darren at Hak5 since the beginning – we love their products and we’ve even discussed collaborating in the future. I’ve also reached out to Kevin Bong – we love the MiniPwner and in fact have a couple units in-house we’ve been playing with. Since we’re all working on the same problem in an exciting new niche market, I encourage the competition and hope to collaborate with anyone who wants to jump in. Honestly I’m surprised there hasn’t been more direct competition to date. In terms of basic computing power, the Pineapple and MiniPwner are a bit limited (400mHz / 32MB) — great for a basic “Evil AP”, but not ideal for more power-hungry pentesting tools like Metasploit and W3AF. The extra performance and space on the Pwn Plug let’s us offer a bit more in terms of features and functionality.

The Pwn Plug

Open Source Pwn

The Powerbase: Your products make heavy use of open source projects, would it be safe to say that you wouldn’t have been able to bring them to market if you had to develop all of this software in house, or pay licensing fees to include them?

Dave: Absolutely. The security industry has heavily relied on open-source tools since the beginning. Thus, many modern security professionals prefer (in fact, often demand) open source alternatives to solve their security problems.

The Powerbase: If a developer wants to bring his software to either the Pwn Plug or Pwn Phone, what are his options?

Dave: We love to see new open source developments for our products and the security community at large. When someone approaches me about a plug-friendly tool they’re developing, I encourage them to release it to the open-source community and they often request for it to be included in a future plug software release as well.

The Powerbase: What about including packages in the official Pwnie Express repositories? Is there any official process in place to elevate community supported/developed packages to official ones?

Dave: I’m definitely pushing to improve the framework to support this. We’re working to set up official public repositories, better community forums, and other tools to make it easier to contribute and collaborate. In the meantime, anyone looking to contribute can contact me directly and I’ll get their code into our repository.

The Powerbase: You offer “Community Edition” versions of both the Pwn Plug and Pwn Phone software, can you tell us a bit about them? How do they differ from the paid versions?

Dave: The Pwn Plug Community Edition does not include the web-based Plug UI, 3G/GSM support, or NAC/802.1x bypass features included with the commercial version. The Pwn Phone Community Edition is identical to the commercial edition. For both products, priority tech support is currently only provided to commercial customers.

The Powerbase: We always hear about the difficulties in taking open source software and turning that into a profitable business, but it looks like you’ve managed to do just that. What kind of advice would you have for others looking to spin open source projects into a marketable device?

Dave: I would say look at the open-source tools your target customer already uses and loves, then just focus on delivering a solution that makes these tools easier to deploy, use, and maintain for your customers.

Questions Of Legality

The Powerbase: It doesn’t take much imagination to look at products like these and see their possible illegal use. How do you respond to critics that may claim putting devices like the Pwn Plug and Pwn Phone into the hands of anyone with a few hundred dollars is dangerous?

Dave: This has indeed been a concern of mine since the beginning. While we strictly adhere to all federal and export regulations and try to direct our products to commercial/federal users only, I’ve come to realize there is no truly avoiding this conundrum. In law enforcement, national defense, and all other areas of security since the dawn of time, the tools criminals use are the same tools we must use and understand to effectively protect our assets.

The Powerbase: There has been a lot of talk about companies sending Pwn Plugs out to their branch offices with instructions to plug them in as part of their internal security audits. I’ve seen some interesting responses to this, most notably that it’s setting up a dangerous precedent for future social engineering attacks. Do you worry about a future were people just blindly connect a Pwn Plug they are sent as long as the attached note looks official enough?

Dave: Generally speaking, employees should never connect any electronic or data storage device of any kind to anything without proper authorization per their company’s internal security controls. This all comes down to the criticality of security awareness training, which is one of the things we’re helping drive home with the Pwn Plug.

Looking Ahead

The Powerbase: What’s the future for Pwnie Express? Do you have any planned improvements to the current line of products, or perhaps something new all together?

Dave: {Chuckling}  .. we have a major software release coming out in early May that will blow our previous release out of the water. New features include a 15-second bootup, point-and-click SSH receiver setup, new covert channels, SSH-VPN and OpenVPN support, Bluetooth, 802.11n, and Zigbee wireless support, passive recon, 4G GSM cellular access, text-to-bash support (text bash commands to the plug from your phone!), and over 50 new open-source pentesting tools covering web application testing, VoIP, and IPv6. See attached for text-to-bash example screenshot from my iPhone. :}

Interactive Bash session over SMS

Thanks to Dave Porcello for making time in his increasingly busy schedule to answer our questions. Pwnie Express is a creative company leveraging open source to create some seriously disruptive products, and we are very excited to see what the future holds for them.

About Tom Nardi

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .