Security geeks often come from similar backgrounds. Raised by the pocket-protector sporting supergeeks of the 1960s, these guys and gals were twiddling with computers at the age that most of us were learning how to hold a crayon.
Not so for David Litchfield, who was already 23 when he decided to make the move into IT security in the late 90s, dropping out of a degree in zoology to pursue computer science studies. But the course ran too slow for his liking — he dropped out of university altogether and moved to London from Scotland to find work in IT. 'At first, I was working in pubs, doing a lot of canvassing while I was teaching myself computers,' he says.
Since his early days in IT, Litchfield has become, arguably, the most prominent database software security researcher in the world. And it was his research that made the Slammer worm possible. Litchfield had discovered a vulnerability in Microsoft’s SQL server product and decided, after the company had released a patch for the bug, to present details about the glitch to a security conference in 2002. 'The code I presented [at the Black Hat security conference] became the template for Slammer,' he says. 'There was six months between the release of the code and the worm.'
When it was unleashed on January 25 of 2003, Slammer wreaked havoc on the Internet. While it was relatively benign — it didn’t destroy any data on infected systems — it generated enough traffic to grind some corners of cyberspace to a near-total halt.
Why was a security researcher presenting information that could be used to cause so much disruption? Litchfield had uncovered a vulnerability in Microsoft’s flagship database server, SQL, that was so easy to exploit he considered the release of the code used to exploit it as a wake-up call for database administrators. 'I said if you don’t fix this it will become the next big worm,' he says.
As it turns out, he was right. Despite administrators having six months to apply a patch from Microsoft that would have eradicated the vulnerability he discovered, few, it seems, heeded his warning.
These days Litchfield doesn’t release “proof-of-concept” code like that used as the foundation for Slammer, but says the effect of his research, and even the worm itself, has been positive. 'At the time I did (regret releasing the code) but looking back, Slammer, thankfully, was benign. It didn’t have a malicious payload, it just screwed up a few weekends, and it’s really what brought patching to the boardroom,' he argues. 'Today if you come across a SQL server, nine out of 10 times it will be patched, so Slammer at least brought a change in the way people look at patching.'
You’d think Litchfield’s company, Next Generation Security Software, would hardly be on Microsoft’s Christmas card list after his research was used to knock over SQL servers, but NGS does a substantial amount of work for the software giant.
But he’s not cosy with all the major vendors. He’s been involved in a very public flamewar with Oracle’s chief security officer Mary Ann Davidson for years. 'Before the spat began I travelled over to Redwood Shores to have a coffee with her. I like the woman, she’s a nice person, but professionally I think she’s in the wrong job,' he says bluntly.
It was Lichfield who released limited details of scores of vulnerabilities in Oracle products immediately after the launch of the company’s “Unbreakable” marketing campaign. The campaign suggested that Oracle software was secure, and Litchfield knew it wasn’t. So he set to work on breaking the company’s “unbreakable” products. 'I think it was the civic thing to do, to be honest,' he says. 'If you bought something from a shop, your details are in a database somewhere. To make that information safe, we need secure databases ... and Oracle isn’t doing that. There’s been a complete and utter failure from Oracle as far as I’m concerned.'
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
