Douglas B. Moran
790 Matadero Avenue
Palo Alto, CA 94306-2734
Table of Contents
- Present: retired
- April 2004 - 2007 : Independent security consultant.
- May 2003 - March 2004 : PacketMotion, Inc : a computer security startup.
Funded January 2004 by ONSET Ventures and Mohr, Davidow Ventures.
- September 2001 - May 2003: Independent consultant.
Evaluation of massively distributed multiagent system;
Computer security component of IT proposal for developing country;
Participant in several potential startups;
Other projects, reports and proposals.
- May 1999 - August 2001:
Recourse Technologies, Inc.
A start-up developing computer security software for
Acquired by Symantec in August 2002.
ManTrap (a honeypot),
ManHunt (Intrusion Detection and DDoS response),
and TipOff (forensics, not released).
Title: Vice President, Research and Development
- Early employee (#4), with consequent contributions
to early growth of company.
- System architect and lead programmer for the TipOff product.
TipOff was based on the approach
that I developed under the DERBI project
System was terminated in response to the recession — had just entered testing.
System and method for analyzing filesystems to detect intrusions
System and method for detecting buffer overflow attacks
System and method for detecting computer intrusions
- 7,032,114 System and method for using signatures to detect computer intrusions
Extensible intrusion detection system
System and method for using login correlations to detect intrusions
- 7,203,962 &
System and method for using timestamps to detect attacks
- Supported the development of the other products,
primarily in requirements, testing and evaluation.
Used contacts to acquire sophisticated test data sets
that found bugs not exercised by the existing testing.
- Supported the marketing activities for the company and
the individual products.
Wrote the basic whitepapers for both ManTrap and ManHunt
and both of the company's published papers.
Assisted Marketing Communications by identifying themes
that would appeal to journalists and
by translating technical details into appropriate descriptions
Significant contributor to the company's basic positioning.
- Supported sales by aggressively evangelizing the products
to my contacts, many of whom were in the position
of "evaluators" or "influencer."
with resulting sales.
- Created and championed a plan to greatly expand the market for
the ManTrap product
by making it practical and useful to deploy more and
larger clusters of them.
Was pursuing government funding for much of this work.
- 1983-1999: SRI International
(formerly Stanford Research Institute)
Note: At SRI, researchers routinely work on multiple projects,
with senior staff having leadership/management roles on
their primary projects.
- Title: Senior Computer Scientist
Artificial Intelligence Center:
widely regarded as a world class research group in AI
- 1986-1987: Cambridge (England) Computer Science Research Centre: Co-founder of SRI's first non-US research facility
(others: Dr. Robert C. Moore, subsequently of Microsoft Research
and Dr. Hiyan Alshawi, subsequently of Google Research).
- 1983-1986: Telecommunications Sciences Laboratory
- Three of these projects are listed in
SRI's Timeline of Innovations: Inventing the future for more than 55 years
(circa early 2000s):
OAA and SLS (as part of "Speech Recognition") in the 1990's
(2 of 33 listings),
and CCWS (for "Multimedia Electronic Mail System") in the 1980's
(1 of 16 listings).
Diagnosis, Explanation and Recovery from Break-Ins (DERBI):
A host-based intrusion detection system (HIDS)
that assumed an out-of-the-box configuration
(no special tools or settings).
In DARPA IDS Evaluations (1998 and 1999),
it used only end-of-day dumps as its data,
but its performance was comparable to HIDS that used
full real-time auditing data (Sun's BSM).
Although it was also applicable to
realtime and near-realtime detection,
DERBI focused on after-the-fact detection.
To overcome the intruder's attempts to camouflage his presence
DERBI used information from a wide range of sources
to identify likely times and elements of the intrusion,
and then use that information to identify additional elements
that could be part of the intrusion.
Open Agent Architecture™ (OAA).
A distributed multi-agent system
that focused on rapid assembly of new systems from
Included a multimodal user interface
(speech, natural language, gesture and WIMPS).
It was inspired by the experiences of the ShopTalk project (below).
The focus was facilitating the creation
of systems from components that were not intended to work together
a significantly higher level of abstraction than
that found in
objected-oriented methodologies and Object Request Brokers.
An SDK simplified "wrapping" existing (legacy)
applications to transform them into OAA agents.
The UI was implemented with agents for each supported modality,
with multiple alternatives for most modalities.
Because the UI was implemented with agents,
the user appeared to be just another agent to
the rest of the application,
eliminating the need for the non-UI agents to differentiate
between interactions with the user vs. automated agents.
This research became a core technology of the DARPA CALO research program.
It was subsequently spun-off into a start-up that was purchased by Apple
and became their SIRI intelligent assistant.
- Co-founder, subsequently Project Leader/Supervisor
for suite of related projects.
Team of 3-7 SRI staff,
plus 1-4 visitors from sponsors
(primarily Japanese and Korean).
- Focused on management, marketing, sales,
and customer relations,
winning contracts from a range of clients
(government and commercial, US and international).
- Formulated technical requirements and approaches,
but being the only senior staff member,
I had to forgo participating in the implementation.
- Honed the marketing message (presentation and demonstration)
and technology to the extent that the OAA
became one of SRI's "Top 10" technologies.
My ability to quickly customize the presentation
to a particular client or audience
resulted in it being heavily used to promote SRI in general,
including a presentation to a head-of-state.
- The success of the OAA design and implementation was testified
to by its incorporation into a range of other SRI systems.
- Featured in "Computing Goes Everywhere", Technology Review magazine, January 2001.
- Videos at http://www.ai.sri.com/~oaa/distrib.html#videos.
- Patent 6,859,931: Extensible software-based architecture for communication and cooperation within and between communities of distributed agents and distributed objects
- 1985-1992: ShopTalk:
An evolving series of research prototypes that demonstrated
the effectiveness of multimodal user interfaces.
The user interface provide transparent, integrated access
to multiple applications,
for example, processing a query could involve combining
historical data from a database with projected results
from a simulator.
This project arose from the merger of two related activities:
a colleague's established marketing activity and
my robust implementation of a prototype
containing many of those ideas
(as part of the CCWS project (below)).
- Deputy project leader, focusing on internal activities:
lead programmer and researcher.
Team of 4-8.
- Substantial contribution to marketing activities:
Created and customized presentations and demonstrations,
presenting part or all to many audiences.
- 1987-1994: Spoken Language Systems:
The Gemini system was based on the CLE system (below),
re-implementing many of the algorithms
thereby allowing application of "lessons learned"
and design changes to better accommodate integration
with existing speech recognizers.
- Researcher and developer focusing on the
integration of speech recognition and
natural language understanding technologies.
The speech recognizer generated a large weighted set
of possible word sequences,
but the initial Gemini system expected a single input
and produced an ordered (but unweighted) list of results.
- 1986-1987: Core Language Engine (CLE):
A highly capable natural language processing system
that integrated promising new technologies and approaches
while applying the lessons learned from earlier large-scale systems.
- Researcher and developer,
contributing to the development of the overall system,
with primary responsibility for the pragmatics component
- 1986-1988: Delphi: course-grained OR-parallelism in logic programs.
- 1983-1986: Command & Control Workstation (CCWS):
Design and implement multimedia mail and
multimodal conferencing applications.
System was installed on an aircraft carrier
(USS Carl Vinson) and
used during an operational deployment.
- Project leader (replacing original) for a team of 6-7.
- Designer and implementer of automated agent in the
that added graphical information to the conference workspace
using spoken language access
- Developed a commercial quality GUI toolkit.
A software vendor
(Quintus Computer Systems, acquired by Avaya 4/2001)
explored licensing it for sale,
and although it was judged to be technically superior
(functionality, maturity, stability),
they chose to license one of the alternatives for
unspecified "business reasons."
- Computer Facility (1983-1994) (part-time):
This activity provided the practical experience
that led to the DERBI project and the TipOff product
- Developed extensive collection of tools to simplify
the administration of a rapidly growing computer facility.
The initial set of processes and tools was designed
for my project's Sun workstations,
but they were so successful
that other projects arranged to have their computer
become part of my cluster,
resulting in my becoming manager for all the department's Suns.
The Sun cluster scaled from an initial
4 workstations to 60 without an increase in support staff.
- 1980 - 1983: Oregon State University,
Assistant Professor in Dept. of Computer Science.
- Teaching effectiveness: During those 3 years,
my primary undergraduate programming course
grew from an initial enrollment of 50 to 400,
with a substantial wait-list.
- Computer facility: As part of the move of the department to a different building,
I supervised construction of computer rooms and
upgrade and expansion of the computer equipment.
- 1974 - 1979: The University of Michigan (Ann Arbor), Department of Computer and Communication Sciences
- Teaching Assistant: Head TA for the second course on programming.
Taught recitation sections for that course and others.
- Research Assistant:
Transformed an abstract system based on formal logic into
a computationally viable system,
and in the process unified what had been distinct components.
I was responsible for the semantic component
of a project that produced a computationally viable version
of a sophisticated formal linguistic theory.
The semantics were based on formal mathematical models,
and the smallest non-trivial model for the basic theory
had (2^2^523) elements, but only tens of those elements
were actually used.
I developed a system that allowed the models to be incrementally
built and used without introducing inconsistencies.
This system was subsequently used a several universities as both
a teaching and research tool.
As part of this work, I recognized that the linguistic phenomena
that had been described as a separate topic
could be unified with semantics
as a side-effect of a process-oriented treatment:
the sentence being processed could add information
to the knowledge base (the model)
and consistency checks on the new information needed to be performed
"on the fly."
- President of the Graduate Employees Organization (1976).
The GEO represented the 2100 graduate students working as
teaching, research and staff assistants.
Learned meeting management skills and honed advocacy writing.
Computer Security Activities
My introduction to computer security came as a side-effect
of my managing a computer facility.
Through the early 1990's, SRI was a high-profile site on the Internet
and hence was a frequent target for hackers.
Diagnosing and tracking back attacks was labor-intensive,
and hence slow.
Too often the trail would go cold because of the substantial delays
in tracking an attack through even a small number of sites.
The DERBI research project
resulted from the realization that
a large portion of this process could be automated,
making diagnosis and trackback more effective (faster and more accurate).
I then joined Recourse Technologies to commercialize this approach.
Representative sample of activities in this area:
- Manual trackback of attacks (most of my activity)
- Wrote an extensive collection of tools
to simplify the administration of the computer cluster.
These tools provided notification of inconsistencies,
developing problems and other anomalous situations,
and, as a side-effect, revealed a variety of probes and attacks
(both attempted and successful).
My successor stated that the most important lesson I taught him was
"Good system administration is good security,
and vice versa."
- Aggressively pursued evidence of hacker activity.
We collected evidence of attacks, analyzed it and
reported the results.
We contacted sites that the attacker was using to launch attacks
and passed on our knowledge of the attacker's tools and techniques.
We decided to not ignore probes and unsuccessful attacks
because our group had collaborative relationship
with organizations with poor security practices:
By taking countermeasures against attackers
we would somewhat decrease the probability of those other sites
which would in turn decrease the risk of one of those sites
being used to compromise ours.
- Established a reputation for quickly detecting hacker activity
that had gone unnoticed in other parts of the company.
Became lead for company-wide computer security activities.
- Most notable instance:
In August 1993, we detected an early instance of Rootkit.
We captured much of the toolkit, including the sniffer.
We tracked back the attacks to other compromised sites
and worked with them to extend the trackback.
We were extremely alarmed to find attempts against hosts that
were two of the root name servers.
We notified CERT and worked with the FBI.
The FBI told us they thought they had identified the culprit,
and asked us not to go public while they investigated.
I wrote and distributed a sniffer-detector to affected sites
and to CERT.
Based on my information to New York Times reporter John Markoff,
Computer Insecurity On the Rise (November 1)
about thousands of computers that had been
compromised by this attack.
Aside: CERT did not release an advisory (CA-1994-01) until February 3,
and it contained a sniffer detector similar to the one
I had provided to them.
We received no public credit,
although from everything I could determine,
we were the first to report this attacker.
- Interaction with CERTs and law enforcement agencies
- Reports and follow-up of attacks (above)
- Comments on requirements and effectiveness
- Expert consultant and witness
- 1999: Consultant for attorney for corporation (defendant)
in suit claiming unwarranted disciplinary action
based upon allegation of computer misuse.
- 1996: Consultant and witness for San Mateo District Attorney.
A system administrator fabricated evidence of misconduct by
his supervisor, causing him to be fired.
Featured in a page 1 story in the October 11, 1997
"Mainframed: Computers Become a Weapon
in Office Warfare"
(by John Boudreau).
- 1996: Consultant for San Mateo District Attorney.
Provided independent assessment of data being provided
by a corporation's system administrators as evidence
in a felony case.
- 1993: Consultant for Santa Clara District Attorney.
Defendant pleaded guilty.
- Consultant for attorney for a student charged
by his university with hacking university computers
and a corporate network.
Charges were dismissed.
- Reports and other feedback on security problems to vendors.
- Example: REXD (1987): First report of vulnerability to Sun.
Provided a demonstration of its severity that motivated
Sun to deactivate this server in subsequent releases.
- Morris Worm follow-up (1988):
Authored summary of pattern of known vulnerabilities
being allowed to persist from release to release.
Sent as letter by SRI CEO to Sun CEO (McNealy).
Was also used by DARPA (Bill Sherlis) as part of the justification
for the creation of CERT.
- Public distribution of patches and scripts
for various vulnerabilities and configuration problems.
Except for the simplest cases, we worked through an intermediary,
such as the vendor or CERT,
because we lacked the resources needed for answering questions
and the other inevitable follow-up.
Most visible examples of these distributions:
- TFTP CHROOT patch for SunOS (1986):
subsequent SunOS release incorporated the CHROOT capability.
- Anonymous FTP installation script automating extended sequence
of steps described in manual.
Modified version subsequently distributed by CERT.
Areas of Technical Expertise
- Computer Security, Multi-agent Systems, Artificial Intelligence, Natural Language Processing
- Primary programming languages: C, Prolog
- Primary scripting languages: PERL and
various UNIX languages (shells, awk, sed, ...)
- Operating Systems:
- UNIX & variants:
- System programmer (non-kernel), system administrator, expert user
- UNIX: from V7 to BSD 4.x to SunOS 0.7 to SunOS 5.8 (Solaris 8)
- Linux: from RedHat 5.2
- Limited usage of other variants
- Microsoft Windows: advanced user (W95, W98, NT, W2000 Professional)
- University of Massachusetts (Amherst),
Fellow, A.P. Sloan Foundation grant for
Interdisciplinary Studies in Cognitive Sciences in
Dept. of Linguistics and
Dept. of Computer and Information Sciences.
- The University of Michigan (Ann Arbor),
M.S. and Ph.D. from
the Dept. of Computer and Communication Sciences.
- Concentration: Artificial Intelligence and Computational Linguistics
- Dissertation: Model-Theoretic Pragmatics: Dynamic Models and an Application to Presupposition and Implicature
- Massachusetts Institute of Technology,
Bachelor of Science from the Computer Science program
in the Dept. of Electrical Engineering (VI-3).
Former/Retired member of:
1994-2013: Neighborhood Association: Barron Park, Palo Alto (approx 1600 households):
various roles, including
President, e-mail list manager and co-webmaster
Other formats and additional information:
A short version of this resume is available,
as well as some additional detail.