Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 16 Issue 71 File 02
==Phrack Inc.==
Volume 0x10, Issue 0x47, Phile #0x02 of 0x11
|=-----------------------------------------------------------------------=|
|=-------------------=[ PHRACK PROPHILE ON BSDaemon ]=-------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[ Phrack Staff ]=----------------------------=|
|=-----------------------------------------------------------------------=|
|=---=[ Specs
Name: Rodrigo Rubira Branco (I blame rcvalle for convincing me long
ago to make my name public - at least I've changed my handle
before associating it with my name, so clean slate)
Handle: BSDaemon
Handle I was originally a NetBSD fan. It was only later, while
Origin: working for IBM, that I started appreciating the qualities
of Linux (as in: messier code, but with deeper support for
specific hardware characteristics and capabilities)
AKA: All buried in a long distant past. Let cert.br cry and
complain about it :)
Country: Brazil
Website: https://www.kernelhacking.com (but it is old, not updated and
ugly) https://twitter.com/bsdaemon
GitHub: https://github.com/rrbranco/ (in theory I would post all
presentations, papers, etc... in practice, I'm super
disorganized and often forget to make a copy of things there)
|=---=[ Background
Not exactly sure what to say. I started using computers really early, but
it was by the age of 10 that I took them seriously. Because I was so young,
no one would accept me in programming classes, and I somehow really wanted
to learn C (the reasons on why that obsession started are now lost in
history). My mom visited all kinds of training facilities to see if anyone
would take me, and someone finally suggested that I just start using Linux
because it was open-source and I could learn by myself.
There was no 'security industry' at the time, and I started doing more and
more low-level things mostly because of cracking (I've played chess since
I was 4 and was competing in national and international championships til
at least my 16s. The games and databases were too expensive, so I learned
how to remove their protections, for me and for my friends. There was no
software protection laws in Brazil at the time, so my family was actually
very proud of it). I would say that because of chess, I've developed a good
ability to endure 'pain' (or frustration), the ability to focus for many
hours, and even a way of looking at the problems differently (I can't really
explain it, but it is a way of correlating things to derive new ideas).
Those things are still what I would say are my strengths. Also because of
chess I was able to study in a really good primary school (my family would
not be able to pay otherwise and public schools are not very good in Brazil),
which gave me a great opportunity to study in a different kind of high school
(we call it a technical high school, which is essentially a high school,
which besides the usual curriculum one also learns a profession - in my case,
Information Systems. The school is public, but because it is full time and one
of the few excellent options, there is a tough acceptance test, making it
harder to get in than even some of our universities). The technical high
school was great, because I had access to big Unix computers and very high
speed internet.
Given my familiarity with low-level programming and Linux, I was invited to
intern at the school and later at the university (giving me even more access
to such systems). The university used PowerPC (AIX), so I started porting
tools to it (and given they had a bunch of HP-UX they were not using, I also
started porting things to HP-UX) - I guess now people will understand why
years later I wrote so many exploits for those platforms. Maybe it is worth
it to mention that I also studied in the Airforce Academy in Brazil (ITA -
Instituto Tecnologico da Aeronautica). The way I got in was hilarious: they
invited me to give a talk about polymorphic shellcodes, a research area where
I was one of the early pioneers. After the talk, they invited me to join a
project for a secure, embedded OS. In exchange they accepted me to study
there. I must say it was really important in my life.
I've learned the importance of the formalization of knowledge, theory and
math thanks to outstanding professors. I still can't believe no one kicked
me from there, given how much trouble I caused (for example, smuggling
alcoholic beverages onto the base - the University is inside the Technological
Command of the Airforce, essentially our main airforce base).
At this point, I'm probably jumping over a lot of things in the timeline, but
something worth mentioning is that I met a group of folks online (already in
IRC) and that really changed everything. We started writing exploits together,
and exchanging information and ideas for many years (our group name was Priv8
Security and later because only a few of us were active, we separated and
created the RISE Security group). At some point, we decided to meet face to
face and we organized a meet-up (2600 meet-ups), in Sao Paulo. We chose Sao
Paulo even though many of us, including myself, were from the country-side or
even from other states. We also interacted and exchanged exploits with many
groups from abroad.
Remember that there was no 'value' for exploits, and it was basically for fun
and not for profit (even though many groups were known to use exploits to
compromise systems). It all started to change quite suddenly. I still remember
when iDefense paid USD 4k for a remote exploit on AIX. It was more than a year
of my salary at the time. And they did seem quite legit, so it was hard to
comprehend the reasons. That is also when security research became a 'thing'
and suddenly there were full time jobs doing just that.
A few things to add, but again jumping a lot, is that security research
conferences started popping up everywhere, and it was possible to travel
around presenting some (hopefully good) research. This opened a lot of
doors, to meet even more people focused on different research and also for
work. I ended up having a short experience of working in UAE and just after
that, Israel (yes, what are the odds?). I've been living in USA for the past
13+ years though (I've moved originally to do my PhD, but ended-up accepting
an offer from Intel).
|=---=[ Inspiration
I'm really inspired by the real community. And I talk here about 'real'
because it is very different when someone does things for others versus when
they do something for themselves. I believe the real community spirit is about
others, it is about the sharing of knowledge, it is beyond a career or
individual benefit. It is sometimes, detrimental to it!
I love hard challenges and I do my best to make a difference to the world. I
guess as we get older, it is harder to keep that passion alive, and it is hard
to be so naive as to think that we can change something major that makes an
impact. But I do my best to consciously remember that sentiment and feeling. I
do not believe in heroes, but I do admire certain actions and takes by others.
So, here is a few:
- Richard Feynman is a major example for me (especially how much he
criticized the systematic stupidity of the "system")
- Mikhail Botvinnik (world chess champion), because even after being the
world champion for 3 times, he would still listen to radio chess
lessons in order to never forget the 'fundamentals'.
- Garry Kasparov (before he became basically a politician). I still
remember when he was interviewed for a piece 'A day with the world
champion' and the reporter went swimming with him. After a few hours
swimming, he asked Kasparov if they could stop, since he could not do it
anymore. And Kasparov asked: 'So you give up?'. The competitive spirit
and obsession with being the best in whatever one does is inspiring.
Interestingly it also reminds me of a passage in the movie 'Gattaca' in
which someone with 'inferior' DNA goes swimming with a 'superior'
individual and after some time the superior individual just can't anymore.
When he wonders how the other could do better than him, the answer was
simply: 'because I was not thinking about the return'. Dedication *is* the
advantage in my opinion.
- Alexander Kotov. He wrote a book 'Think like a grandmaster' in which he
explained the literal thought process for considering multiple variants
and comparing possibilities in chess. That became my baseline on how to
even study a given topic. To me, it is impressive how much impact someone
can have by simply stating how he does trivial things (such as thinking
about a problem).
But I believe I was blessed (or lucky, whatever word fancies you) on meeting
great people along my journey. I still remember some of my bosses (that
literally had to 'manage' me so I could still be myself and not get in too
much trouble), professors that dedicated their time to help me value things
that before them I (wrongly) thought were not important. And friends, that
believed in crazy ideas and helped me make them a reality! Without pirata and
coideloko I believe I would not have had half of what some consider my
'successes'.
|=---=[ Early Influence:
Ouch, I guess I gave too much of this part in my background :)
I do want to say that my parents, as any other human beings, had their
limitations, but they really loved me. My mom went completely out of her way
to try to support me. She frequently admitted that she had no idea if the
'how' was right, but she did bring me to chess championships, fought for me at
the school, incentivized and believed in me. I still remember when my father
brought me in a trip to Sao Paulo, to teach me how to do this myself. He told
me how important it would be for me to have access to things in the big city
and how I could do it without spending much money at all (like, taking the
overnight bus to avoid a hotel, sleeping in the bus station since it was
'safe', going to used book stores in the 'Liberdade' neighborhood, etc). While
they did not speak to each other, my parents did a ton for me.
There was also a director in my high school that I can't even begin to fathom
the impact he had in my life. For some reason I was 'done' with computers, I
decided it was all stupid and that I would go for another profession. One of
the 'private' high schools in my area offered me scholarship (again because of
chess). So I decided to abandon the course. My mom spoke with him, and he
literally came to my house to talk to me. I do not even remember what he told
me, but he did convince me to continue in the course. What would have been if
he was not willing to go completely out of his way to help someone? I mean, it
made no difference whatsoever for him. No real benefits.
Funny enough, on hacking my main inspiration were the folks exchanging
information with each other. That community and group of friends kept me going
deeper and deeper into topics, trying to be an equal made me better. I do want
to give a shout out to pipacs and spender: Even before I knew them (and
eventually became friends), I've learned so much from the code that they were
developing and sharing freely. The pax-future.txt is just it, crazy! Literally
he foresaw the future. The phantasmal ('malloc maleficarum') paper was
another relevant one for me (I like everything in it, even the style of the
write-up and the title!). w00w00 write-up 'On Heap Overflows' was a simple
write-up but with big consequences (I think it was the first time that I had
started considering adjacency and how to force data adjacency - the opening of
the mind for a new idea, I guess).
As a final one, I need to say that Shay Gueron and Sergey Bratus also
completely changed me. Shay Gueron I met at a time that I was bored with
Intel and wanted to leave. I met a random person at a party that told me to
literally email Shay Gueron and ask for a challenge. I never met him before
that, and I sent the email along the lines: 'Hey Shay, we've never met, but
I've just met person X and they told me to ask you for a challenge... I'm
super bored at Intel and will leave if I can't find anything interesting to
do'. He literally replied to me with something like: 'Nice, have a look at
this and let me know what do you think'... and sent a few lines of pseudo C
code with it. The code was something along the lines (probably a bit more
elaborated, but not much):
```
variable=rand();
if (variable == <SOME LARGE VALUE>) // can we find a case in which this
could predictably happen?
printf("\nsuccess\n");
```
I remember looking at it and my first thought was like: 'oh no, another
typical Intel employee... I'm out of here.'. But something did not bode well
with me. I could not stop thinking: 'what if I'm missing something?'. The
worst that can happen is for someone to think another is stupid, when the one
thinking it is the stupid one :). After all, I had looked Shay up. He was
*VERY* accomplished in crypto. And at work, he was actively writing assembly
code to implement the algorithms, etc. It had to be something that *I* was
missing. And it all suddenly clicked! Here is what Shay was telling me without
words: In a system in which the memory is encrypted, any memory changes are
the same as random for an attacker (therefore, variable=rand() is a way to say
that the attacker has an arbitrary memory write primitive, but of uncontrolled
data). The if condition was basically a way of asking: "are there any cases in
which arbitrarily writing uncontrolled data to memory will be in a predictable
location and therefore advantageous?". Shay, without having any
exploit-writing background had the instinct that data-only attacks are
possible. He also had the instinct that we could find the locations
predictably, even though we could not 'see' the actual data. The collaboration
with him in that research was mind blowing to me!
Sergey Bratus I met at the first Troopers conference, in Munich. I remember
sitting in the dinner by his and djb's side. They talked math and software
security the entire night, and I just silently sat there absorbing as much as
I could. Along the years, I've had the privilege of becoming friends with
Sergey. His ability to abstract an instance of a problem into the general
class of problems is impressive. It helped me change my perspective. Also, his
overall knowledge of the world incentivized me to look beyond just computers.
|=---=[ Favorites:
[ Favorite things (books, websites, exploits, people, software, music,
other things you're comfortable sharing) ]
Books - super hard to do a top5:
-> Think like a Grandmaster
-> The Art of Software Security Assessment
-> Surely Your Joking Mr Feynman
-> The philosophy of set theory: An historical introduction to Cantor's
Paradise
-> The Art of Computer Programming
Websites - phrack.org (and follow the links of each article?)
Exploits - My favorites keep changing. Public exploits are unfortunately lower
in quality comparatively with the past. Chris Valasek IIS one (presented at
Infiltrate) is still one that I have to praise (given that I've looked at the
bug and thought it was not exploitable at all). Mark Dowd's work on null
dereferences in user-mode applications is another one that comes to mind.
Qualys has been doing crazy good work recently, and the qmail one has a
special place in my heart.
People - I guess I said it in the other segments, but pirata, coideloko, Shay
Gueron, Sergey Bratus are on the top of my list (many others, and not
including the dead since they won't mind not being in the top list).
Software - Open-source. Maybe I would include IDA in the non open-source list,
just because Ilfak is an awesome person.
Music - I do not listen much to music. I like Brazilian country and forro. If
I had to listen to something while at the computer (like in a noisy, public
place), prodigy (given no lyrics).
Other things - I could share: my favorite guns and military vehicles :) But
that is way better over drinks. So my favorite drink is Jack Daniels (I drink
to get drunk, and Jack Daniels is available anywhere and is cheap, thus my
criteria). On the personal side, my favorite things are my kids and wife. If
it is about my own accomplishments, while what one is proud of will change
over time, I will always remember how happy I was when:
1-) I had my first Phrack paper accepted (On SMM rootkits). I started the
research because the Intel manual had a sentence about what the SMM is used
for and it ended with 'and other purposes'. And I just could not find any
other purpose that was publicly documented!
2-) I got a Pwnie, and to me it is extra special for under-hyped
research. I don't like hype (the bug is an IOMMU bug that is very complex, and
pirata and I wrote a full exploit for it only because everyone at Intel was
saying it was 'too complicated to be exploitable'). Somehow someone else that
was not involved at all got credited to the bug as well, but it does not
matter, still fun and credits are multiplied but not divided anyway!
3-) Best Offensive Work: I guess it is a non public thingy. I'm proud
because it was relevant and used/useful. I believe it does impact the world.
4-) The number of folks that tell me I've helped them in someway and it
changed everything in their lives. What they keep doing and will be doing,
and the ones they will impact and affect are way more than I could ever be
able to do myself. This means that for me, H2HC (we will talk about it
later) it is one of or maybe even the biggest contributions I've ever done.
When I remember speakers that never gave a talk before and I helped them
construct their argument, organize their research (sometimes even finishing
their code, fixing bugs, re-gaining motivation), people that met and worked
on projects together, etc... it is impossible to not be proud!
And even if it is all an ego thing, and maybe none of the above is really
impactful to the world as I like to believe; somehow it is the ego thing that
keeps me going, keeps me motivated, and maybe even sane!
|=---=[ Memorable Experiences:
I've shared a few in the other sessions. But I can give some disasters as well
:)
I still remember my first talk in the Emirates. I always get super nervous
before a talk (even though I have a lot of experience at this point, I still
can't sleep for days). After my talk, a 'dude' came to talk to me. There were
a few guys around as well, but I was paying attention to that person. He told
me something like 'great talk, I really enjoyed it... one of my favorites of
the conference' (or something like that). I was so happy, mixed with the
'calmness' after the talk is done, I hugged him in appreciation! And suddenly
all the other dudes pulled me aside there was a lot of stress around. The
conference organizer came apologizing and I could not understand what I did
wrong. Well, the guy apparently was one of the 'higher-ups' in UAE and the
others around were his bouncers... apparently you are not supposed to hug
authorities.
I probably have way more of those experiences than I should have. And I still
continue somehow to put myself in awkward situations, so I just have to accept
that is part of who I am and sometimes it is a good thing, you know? Way too
many 'professional', 'by the book', and essentially 'false' people out there.
I will share a few technical examples. I once reported an LPE bug, with an
exploit and everything. I tested running everything as root on that system and
did not notice it was dropping privileges. It taught me to not rush on
results, no matter how excited you are. And the importance of good
peer-review. The worst of those I think was when I ported a PaX feature to
PowerPC. pipacs and spender were super nice guiding me, reviewed a write-up I
had done, everything. They probably spent more time guiding me than they would
have if they ported the feature themselves. I've done some kernel modules to
test things, and I was running in Qemu and on an old Powerbook to test. After
all those tests, there were a couple more places that had to be instrumented.
And it was essentially the same instructions, so I just added the
instrumentation, but did not re-run everything. One of the instructions was
slightly different. Literally, it was just an extra 'o' in the instruction to
use the overflow tracking we needed, so trivial. But not :( It broke shit up,
and the worst is that they were blamed for it. I felt terrible.
|=---=[ How did H2HC come to be? What were/are the initial/current
|=---=[ challenges, and how do you see the future of it?
Hackers to Hackers Conference is in its 21st anniversary this year. The
conference was really an idea of two friends, dum_dum and dmr. They wanted to
create a conference so folks who knew each other only online would be able to
meet. Also, at the time most security conferences were only 'defensive', so
they wanted a high emphasis in 'offensive' content (and real research). From
the get go they invited other friends (I believe it was a total of 8 folks).
And reached out to other security research teams in Brazil as well.
As I mentioned earlier, we were organizing the 2600 meet-ups in Sao Paulo.
When they told us about doing the H2HC (it was in Brasilia, the capital) for
the first time, I submitted a talk (about polymorphic shellcodes). When I
arrived at the hotel, the day before the conference, there was no reservation.
It was the middle of the night, and I did not have actual contacts from anyone
(other than IRC and handles). I asked at the reception: "Hey, have you seen
dudes that look crazy, all in black, full of computers around?". The guy told
me they were in a room. I asked him to call the room, but given it was middle
of the night, he did not want to. I told him I bet they would all be awake
coding. He called, and they were. I stayed in that room. With 7 other people!
(A room for 2). The event itself was as organized as that (and maybe still
is). Lots of folks did not have slides ready at the time of their talk, people
had no idea which rooms to go, etc. Since I was there with them, I helped. So
I kind of was 'part of the organization' since the first edition, even though
it was mostly there, on the day. They officially invited me to join the group
for the second edition, and I did.
Things went well and we are all still friends (I call them 'originals' and I
still gather their feedback and opinions on how the conference is going. I
feel they are the way to keep us focused on the original intentions). While
everything was decided as a group, it was clear that certain things were more
complicated than others (like paying for things upfront). There was also
concerns about having sponsorship (how do we guarantee that sponsors are not
going to 'influence' the direction of the conference? The amount of work
needed, etc., all make it super hard to be efficient with so many people
discussing everything. So by the 5th edition, I told the folks that I wanted
to leave. They discussed and voted that I should actually take over, with the
promise to keep the conference in the same spirit. I then invited coideloko to
help me out, and we are still at it (with pirata now growing his
responsibilities even more as well). We are still non-profit (now with an
official non-profit org behind the conference). We still have a technical
committee that has veto power for any talk submission (so even when I want to
invite a speaker, once I get the talk information I pass it thru the committee
as if it was a submission). Sponsors do not have sponsorship slots (we did
lose sponsors that insisted, because some get offended when their 'executive'
talk is not accepted). We believe that the right sponsors understanda that
this is a community event.
We emphasize the collaboration within the community. For example, we want our
sponsors to have interaction that makes sense (like last year we had a tattoo
shop for a sponsor - it is crazy to think that some people actually tattooed
H2HC!). We do plenty of activities and workshops and try to unite the
communities. I've managed to reach out to the Slackware folks (lots of
Slackware developers in Brazil) and one year we even did a Slackware
conference as a sub-track inside H2HC. BSides in Brazil also started as a
sub-track in H2HC (since the first couple years is hard for a conference,
given they can't get sponsors without having some attendees, and that means
up-front money, we just gave them the space for free). We do everything we can
to bring knowledge to people, Like this past year, we had a legacy BIOS
workshop for free. We do not charge 'book houses' that want to exposé in the
conference, we just ask for 'free books' that we donate. Additionally, while
our tickets are really cheap (around USD 50 when we open registration), we
still donate a lot of tickets for those that can't afford it (and should be
there). The conference is also open bar (with whiskey, beer and soda), given
that we've always believed that helps with the mood (non-surprisingly, while
there are a few cases of conflicts because of it, mostly it is uneventful and
positive).
I believe the main challenge is really my age :) You see, keeping the
community connected means that the different generations need to be
comfortable and collaborating. We have outstanding parties for our speakers.
It gets harder and harder to be in the 'right' rhythm. Things that everyone
can enjoy in their own style. We are getting more and more help though, so I'm
hopeful.
Security is mainstream. Security Research became a profession. But many just
cannot differentiate it from hacking and the community. They are not the same.
We want the community to flourish because we believe in knowledge for all.
That means the 'security industry' should benefit because there will be talent
available, but it is *NOT* our purpose to benefit that industry. Some sponsors
understand that, some struggle with it. For example, we have the famous
'bathroom leak'. We have no idea who started it, nor why. We do not even know
if it is the same person or group of persons that keep it. But essentially
every year, in the bathroom there are 'leaks' (usually accounts from famous
people in the security industry, or from companies, etc). Maybe it would be
possible to find out the perpetrator(s) with properly setup cameras and
monitoring or whatever. But while we do not help, we also do not do anything
to prevent it. There was a year that a group sent t-shirts, that had a list of
the folks they pwned and published information on. I literally just got a box
of t-shirts delivered to me at the conference. No one explained to me why, nor
told me it was going to happen. But we got it and we distributed it :)
Some people have a hard time understanding that is what a hacking community
is. Hacking is about community. It will defy rules, and trying to control
defiance only kills that spirit. You end up with 'technical committees' that
have very few actually technical people in them. You end up with sponsors
controlling not only talks that they pay to have, but also talks that they do
not want to happen. Having a little bit of chaos helps everyone have that
stronger community. And from there, a lot of talent comes out, many of which
will not do those more 'dubious' actions. If you do not understand the actual
community, if you are not part of it, give a bit of leeway to those that are.
Reap the benefits from it. Don't try to change what you do not understand
(which by the way applies to all things I guess - change stuff, but first
understand it).
|=---=[ What is the achievement you're most proud of?
My kids. My marriage :)
Professionally, I believe I've managed to create great teams, that really
believed in what they were doing, that did what no one else could do before
(and in some cases no one else could do again after) and that worked truly
together with healthy competitiveness (as in, having fun). My one rule is that
everyone should be having fun together (if we make fun of someone, is that
someone making fun of us the next joke around? as long as the fun 'target' and
'origin' keeps changing fairly, it is game on). I am proud to say that I'm a
professional that does what I believe in, and I have fun doing it, and I do it
because it is right. I do not do it because someone else told me; I do not do
it because it is good for my career; I do not do it because it looks good. It
is hard to be like that. Many consider it 'unprofessional' because I disagree
and fight, instead of 'disagree and commit to bullshit' (notice that the
'bullshit' part is important, because sometimes there are multiple paths
to the same end-result and fighting without progress is also bad).
For the community, I am sure it is H2HC, my contributions to other conferences
(OffensiveCon, LangSec, and others in the past) and my mentorship to folks.
To the world? I believe I've done a lot while at Intel. A lot got reversed or
lost too, which is unfortunate. Still, many more years of incompetence will be
needed to destroy everything.
|=---=[ What is something you are not proud of?
I think I've burned a lot of bridges while trying to do something that I was
certain was critically important for the survival of the company
(specifically, talking about Intel and side-channels). I was told many times
by multiple Senior VPs and Executive VPs that the side-channels represented a
life-or-death situation for Intel and were the biggest issue facing the
computing industry in the past decade.
Intel is a slow company, but a very humane one (as in: with the exception of
the layoffs, there is very little chance of someone getting burned out or in
real trouble). We had to learn a lot of things we didn't know, test a lot of
things we did not have access to, in a lot of different setups we've never
done, all while engineering mitigations for a lot of different use cases that
we did not dominate. All while navigating the slowness, bureaucracy, and with
lawyers involved in everything (as in: emails to my boss had to first be sent
for legal reviews).
My take on this was: I will make it happen, even if I had to go through
people. The rationale was simple: If I don't and the company ends up bankrupt
from the lawsuits, that same individual will be without a job anyway. In my
way of thinking, someone upset by me was way better than a hundred thousand
without a job (plus all the millions of affected users). It was really a
no-brainer. In the best Gattaca style, I never thought about the return
(as in: what is going to happen once this is all behind us? Will you be seen
as the person who did what had to be done or what?). I believed so much on it,
that I did not even think about myself (besides many people warning me,
including my wife). I was adamant that it was the right thing.
So I've worked for 2 years and a half, a minimum 14hrs a day, including
holidays, weekends. I postponed my honeymoon to be at Intel; I was there on
Christmas, New Year's, etc. I remember sometimes getting home at 3am, to wake
up at 5am to brief a Fellow on the results of the day, so he could brief the
CEO. While some in management appreciated it, some did not care at all (they
were just waiting to retire and get out with bonus retirement packages). Given
I had no 'return' plan, once most of it was behind us (and it was clear that
the lawsuits would just die down and that everything was 'under control' - not
that it was solved, but that it was not a risk anymore), the only person
working on that different rhythm was me. All those 'burned bridges' started
hunting folks in my team (it is funny how things go in big companies, because
people were still too afraid of attacking me directly, so they were damaging
others in my team as a way to get to me). That made me decide to leave, to try
to help the team. Which created another wave of problems, because most decided
to leave with me (which was another unexpected consequence). It was a mess.
|=---=[ What would you like to see published in Phrack? Your VDT article
|=---=[ from 2010 is really good.
I wrote an article a few years back with Sergey Bratus and James Oakley (his
student at the time) that got accepted for publication at Phrack and later got
'declined' because it was a 'new technique' but we did not have a real bug in
which applying it was 'advantageous'. James and Sergey's research was on dwarf
internals and the paper extended that to also explain how gcc called the
pointer to the dwarf section, so we could use their 'dwarf compiler' to create
kind of an injectable shellcode. Even if the technique made some real bug
better, it was going to be killed by the compiler anyway (since it is just a
matter of making it RO like relro mitigation does and it is what the compiler
ended-up doing). But the research is super deep into the internals of how that
works, and I believe that is the spirit of Phrack.
That VDT article was a bit of a shame. The work is amazing and Julio Auto, who
is the main developer of VDT, should have been an author. I wrote it and sent
it to him to review but he never replied. I ended-up adding an ACK and he was
the first name in the tool, but many people just look at the 'article author'
and ignore the rest of the credits. I was aware of the timeline and did not
want to add someone as an author when they did not even review the text
(because I could have said a lot of things wrong, who knows).
The collaboration for that research started many years before, and was outside
of VDT. We worked for a company in UAE, doing vuln-dev. coideloko was part of
the team too. He he had performed some kind of forensics work in a large
company, and had a lot of recovered files that were crashing Office. Different
than files that are generated while fuzzing though, we had no idea why those
files were causing crashes. Some crashes looked promising, so we started
brainstorming how we could analyze. Bisecting is not very effective when the
format is not fully well understood (and we did not have code to look at the
different pieces). So somehow we came up with this idea of tracing back from
the crash to the input (since it was easy to see where the file was mapped in
memory). We made some progress while there, but coideloko and I left (and
Julio left shortly after too) and each of us went our different ways. A
few years later I met Julio at another conference, at which I stayed in his
apartment, so we exchange notes on the progress (he was working on a Windows
based tool, while I was working on something based on Valgrind since I was
doing more Linux based things). Years after the article I worked on some
improvements to the idea to show how it could progress (together with Rohit
Mothe) - we called it DPTrace (the idea was to have a dual connotation), but
the tracing would go both forward and backward, and in the forward path would
do allocations and change the state at the crash moment, based on what it knew
it could do from the backward view. Our PoC worked and was useful (we've shown
it against real software and some of the results in the write-up), but the
overall work still has a lot to be done. It is a topic that I love and hope
others would jump on and make forward progress.
|=---=[ What is your favorite bug/exploit?
We've covered it before.
|=---=[ Will mitigations eventually make exploitation impossible?
I do not believe so. But they are making it much harder, potentially forcing
it to be done by 'teams' versus 'individuals'. Currently, at our state, I
would say the hardest targets already require such level of collaboration.
I've been telling people that I already see most of the top exploit writers
work for the government (or contractors) versus industry. That is a shame, and
I guess it is a part of the reason why some have takes such as 'the community
is dead'. I do not think the community is dead. There is plenty still going
on. It is just different. And it is again more obscure. So what is probably
dead is the visibility that some had to those communities.
|=---=[ Would you recommend newcomers to contribute to open source projects?
Yes. Open-source and hacking are extremely related ideals. The idea of
removing control over the knowledge from the few, the idea of sharing, the
idea that there are alternatives to the mainstream system imposition. It is
funny that the fact it became mainstream (and polluted) is also common to
hacking and open-source communities.
|=---=[ How has H2HC evolved over the years? What do you enjoy about
|=---=[ organizing a conference?
I think we did not evolve per se, we've kept the same spiri and ideals, but
manage to do it at a larger scale. Somehow we've survived the many modern
pressures that break such endeavors (or change them). Like social media
presence: we have it, but we have it differently. It is a bit chaotic, but we
oftentimes have something fun (and organic, like folks having these crazy
initiatives - like the video Mario Game modified with H2HC in different phases
or the super boy modified rom with the map being the conference venue).
What I enjoy? Meeting outstanding people that otherwise I would probably not
have a chance to meet. It is the chance to see the best of the best as humans,
and interact with them as equals (even though they are obviously better than
me). Finally it is getting the simple feedback that something changed in
someone's life thanks to that effort (even though my contribution is just to
make it happen, to let the right people shine and present what they did). An
example was in the past year, I was at the elevator to go pick something up in
my room. A guy entered the elevator, looked at me and asked if I was Rodrigo,
the organizer. I said yes, and he smiled and said that a few years back I gave
him a ticket to attend. At the time he worked in construction but was studying
computers on the side... and the conference inspired him to make the jump and
now he had a great job and it changed his life forever.
|=---=[ Your opinion on the infosec scene now vs then
Infosec is, unfortunatelly, a circus. That is why the theme for H2HC this year
is a Cyberpunk Circus. It is kind of a tribute to the IA-crazy (after the many
other crazies). It is a tribute to the fact that unfortunately career folks
are taking over truly passionate people. It wasn't much better before (I
started my career as a programmer because security was just about installing
firewalls). Somehow I see more unethical things happening in InfoSec than in
any other area, even though it is a field that is supposedly built on trust.
|=---=[ Your opinion on conferences? Are they too big, too many? Is there
|=---=[ still a way to find that old vibe being productive while partying?
I think we have too many. That means it is harder to survive (as a con) while
doing the right things, and it is harder to select as an attendee. Given that
there are a lot of commercial incentives too, it all became a mess. Like if
you want to present research, Black Hat has a lot of visibility, even though
its quality has dropped terribly in the past few years (as folks joke, Black
Hat became RSA, Defcon became Black Hat - and all of that is a shift towards
worse not better).
It is almost like you gotta be at the big ones, because everyone is there
anyway. Then you also gotta be in some niche ones, because that is where the
good things really are. Then you gotta be in new ones because you want to
support their existence. But then you also gotta be in some of the old ones
that keep the old vibe, because you want them to continue existing. It is too
much really. I really miss PH-Neutral. And I feel bad that I can't attend the
ones in Russia for now and probably should not attend the ones in China
either.
We do have OffensiveCon with exceptional technical content and great people,
but it is expensive (and hard to get tickets). SummerCon is still going too.
But I'm just glad that Phrack is back, hopefully with a more constant cadence,
so once again great research has a home.
|=---=[ Recommendations
Technical Books: [ Are there any technical books you would recommend
that helped you learn some skills ]
Non-Technical Books: [ Are there any non-technical books that you would
recommend everyone read? ]
I guess the same ones I've said before. Plus Intel and Arm manuals.
Researchers: [ Are there any younger generation researchers that
impress you? Who's work should we be following? ]
Project Zero, Qualys, Quarkslab are publishing really top notch work. Keeping
an eye in OffensiveCon speakers too. And as usual, Phrack authors.
|=---=[ Reflections
Hacker Spirit: [ What would improve the continuation of the
hacker spirit? ]
I still believe that real hacking is a sub-culture. It is not what the
mainstream shows and it is not the research work, even though the research
work has some (or even all) of the technical aspects of hacking. Hacking is
more about challenging the status quo, knowledge, and freedom. That is not
something that can be easily destroyed. Usurping terms or methods does not
make anything a part of it.
Exploit Industry: [ What are your thoughts on the
hacker-military-industrial complex
(exploit industry)? ]
Unfortunately, it is where most of the capabilities for vuln-dev currently
are. There are still folks in that complex that believe in hacking and
community. I somehow still believe that hacking is different than profession,
no matter what the profession is or how close to hacking it might look.
Early Programming: [ When did you start programming and what were your
early influences that turned you to the dark side? ]
I started writing in C at about 10 years old. I was doing small scripting and
logic before that. I guess breaking things was just a result of natural
curiosity (and need, if you consider cracking also breaking).
Career Burnout: [ How did you stick with a career in security without
getting jaded or burnt out? ]
I honestly think thus far I've been blessed (or lucky). Somehow at critical
junctures in my life, the moments that really make or break, there was someone
that held things together. Like at Intel, before all the craziness, I remember
someone in a meeting called me a 'child'. The next day I showed up for a
follow-up meeting with 'marvel superheroes themed shorts'. Obviously I've had
many human resources discussions over the years because of this kind of
response, but someone was there to navigate me through. Like once I told a
co-worker that I could teach them something, but I could not learn it for them
(because they refused to read a paper that I suggested so they were better
informed before a meeting to discuss the topic). Human resources wasn't happy
with my communication style, but at the same time, they were very
understanding that when someone is openly refusing to read because they prefer
to do a meeting, it is hard to teach them. I do not recommend others to
follow my style, but I do think that if you go deep enough into problems, if
you really care and work hard, some people will understand and will try to
help you. Especially if you clearly are not just an asshole with everyone; you
just do not like certain behaviors and do not accept them.
|=---=[ Insights
Hacking Milestones: [ What's one thing every hacker should do before
they are 25? What about 40? ]
Read the manual of your preferred architecture (hopefully Intel or ARM, but I
guess RISC-V/MIPS is acceptable). Read Knuth's Art of Computer Programming (do
not worry too much about fully understanding it, just be aware of how much
there is that you simply do not even know enough to be able to properly
understand). Read the Art of Software Security Assessment and remember how
long ago it was written (that is both humbling and excellent learning).
Finally, find bugs that were published and work on them. Write an exploit,
understand the bug, see the nuances, come up with ideas. Do not look at the
exploits til you've tried, but do look if you get stuck. It is all great for
learning. And I guess there is no age. Do not let excuses get in the way of
what you love. And if you do not love it, be honest with yourself... do not do
it because it is 'cool' or 'pays well' (it won't be cool and it won't pay well
because you won't be good at it).
Nontraditional Hacking: [ What’s your favorite form of nontraditional
hacking something that doesn’t involve computer
security? ]
Lately I've come up with those speed gaming communities. It was an accident
(the son of a friend had this old setup and I started inquiring why and he
told me all about it, and even my friend was super surprised). It is crazy,
because it is totally hacking (and kind of cheating, but totally not) to break
security boundaries/assumptions, for the fun of it. There are categories
(literally constraints on how much you can 'cheat'). Folks writing emulators,
modified games, all kinds of things. It is beautiful! I do not play computer
games at all, but I've got a full setup (that my friend's son did for me) and
I tried the old Zelda. I have this idea that it could be the best way to teach
vuln-dev to folks, because you can see the game changing as you modify objects
in memory. It is an interesting way to teach about allocation, and other
things.
The "Art" of Hacking: [ What do you think the real "art" is in hacking? ]
The truth is that hacking involves dealing with frustration. You do not really
know what is even possible (while an exploit is an actual proof that a bug is
exploitable, and many bugs might be obviously exploitable, it is possible that
nuances would prevent its exploitability). Hacking is also about modifying and
exploring: doing things that were not originally intended. All of that
requires inspiration. The art part is what helps us be inspired and continue
having inspiration beyond the frustration. I can imagine the painter, that has
a clear image in their head, but just can't translate it into a paint. So they
erase it and start over. And do it again, and again, and again. That is
hacking. And it is only possible for artists.
Now, vuln-dev is not only possible to artists. A lot of the technical
processes can be transformed into a pure engineering form. But the coining of
the experiments, the expiration, I believe that will still remain as an art
form. I've seem it in top performing vuln-dev teams. You had lots of folks
producing a lot, but you still had that one folk that everyone was like, they
are 'the' beast. Those make a huge difference in the entire team. I guess they
were pointing to the artists, the hackers.
|=---=[ Personal
Other Interests: [ If you decided not to become a professional in the
security space, what other interests motivate you? ]
Maybe a programmer, probably I would just be a loser, drunk somewhere.
Philosophy: [ Carpe Diem or Carpe Noctem ]
I do things when I'm inspired to do them and I believe humans are creature of
habits so I try to create good habits (but I'm terrible at it, so it is an
internal struggle). I do not sleep much and I prefer to work at night.
Zines: [ Thoughts the value of zines in a world where blogs and
conferences provide a flood of information? ]
The challenge with blogs and conferences is that there is not necessarily a
quality peer-review process (I mean, I've pointed out some good teams that
have blogs and they do have good peer-review, I'm saying more generally).
While academic conferences claim to have good peer-review, the truth is that
they suck (and are so focused on the formatting that they forget the actual
content). Both cases put too much emphasis on claiming impact, which means
that it is hard to take things at face value.
This is what I expect the value to be from a good zine. PoCs that work,
content that makes sense. No big, hyped claims. "Hey, here is a bug, it works.
It affects A and B, 90% of the time it succeeds but there is a 10% failure
rate, which we believe could be made better because of Z, but we never really
did it."
|=---=[ Quotes
Any quotes you'd like us to include?
Yes, a few...
"I don't know what's the matter with people. They don't learn by
understanding; they learn by some other way - by rote, or something. Their
knowledge is so fragile" - R. Feynman
"What bothered me was, I thought he must have done the calculation. I only
realized later that a man like Wheeler could immediately see all that stuff
when you give him the problem. I had to calculate, but he could see"- R.
Feynman
"And I remembered, when I saw this article again, looking at the curve and
thinking, that does not prove anything!" ... "Since then I never pay attention
to anything by experts. I calculate everything myself" - R. Feynman
"They could not DO it. It was a kind of one-upsmanship, where nobody knows
what is going on, and they'd put the other one down is if they did know. They
all fake that they know, and if one student admits for a moment that something
is confusing by asking a question, the others take a high-handed attitude,
acting as if it is not confusing at all".
|=---=[ Closing Thoughts
If someone tells you hacking is dead, it is because they are not involved in
real hacking. They might have been. They might want to be. And that has
nothing to do with their technical knowledge or ability. It just is. And if
anyone tries to speak for all hackers, or for all hacking, they don't.
Including me in these closing thoughts and throughout this interview :)
|=[ EOF ]=---------------------------------------------------------------=|