==Phrack Inc.==

                Volume 0x10, Issue 0x48, Phile #0x02 of 0x12

|=-----------------------------------------------------------------------=|
|=---------------------=[ PHRACK PROPHILE ON Gera ]=---------------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ Phrack Staff ]=---------------------------=|
|=-----------------------------------------------------------------------=|


|=---=[ Specs

         Name: gera
       Handle: gera
Handle origin: it's just my name ¯\_(ツ)_/¯
          AKA: casper (around 1993?), Richie++ (¿ 4:900/208.3 ? @FidoNet) 
      Country: Argentina
      Website: http://127.1:631
       GitHub: gerasdf

|=---=[ Background

2400 bauds version:

    I always wanted to do robots. My mother sent me (at 11 yo?) to learn
Logo, and I did. Got my first computer (TI99/4A). Got a Commodore 64 and
then a 128. Learned assembly on the Commodore, at around 12 years old. PC
enters life. Got hold of Turbo Assembler, Turbo Pascal, Turbo Debugger, etc
at school. Found friends to learn together. After struggling, I found Ralf
Brown's interrupt list, then Sourcer disassembler. The Stoned virus found
me, got totally hooked, and started collecting virii. Wrote my first “virus”
to bypass security at school.

    Collected PC viruses, and wrote a few myself. Found more friends to
learn with, and we moved on to accessing openly available remote computers.
We thought we could even make (legal) money from what we loved. (Co) Founded
Core SDI/Core Security, wrote and released ABOs (Advanced Buffer overflows),
(co) created Core IMPACT, (this is no longer 2400 bps version and I’m not
liking it), I taught assembly and exploit writing, put together the exploits
writing team at Core... got fed up of the security industry, started
Disarmista (2008?), exclusively offering reverse engineering services for
“good reasons”. Got a call from a friend, along the lines of “hey, want to
come and do satellites?” – I said “no”, but there was really no reason to
say no. 15 years later I’m still doing satellites, and their security too.

                              ----------

Now, the version for the historians and the really bored readers:

    I started with computers at 10 or 11, and the order of events is fuzzy
now at 50. I always liked opening toys to see how they worked, and that
earned me the nickname “Ingegneri disarmista” as a kid. For some reason I
still can’t understand, I always said "I want to build robots". In 1985
Argentina there weren’t many options, but my mother found a place to send me
after school to learn some coding. I had no computer at the time, so I could
only touch a keyboard to use Logo on a TI99/4A, once a week. I moved the
turtle around, learned geometry and “programming” with lists, it was really
fun and eye opening. Then one day my parents showed up with a TI99/4A for
me, around 1986. I thought I could do Logo on it, but I discovered I needed
a memory expansion and something else, so I was confined to Basic and a few
other things... I don't even remember what I did with the TI, likely Basic
and very few games... Then I got a Commodore 64.

    As I gained access to some games (though I don't remember anyone paying
for them, except for a guy at 'Valente Computación' who had his own intros),
I started wondering how to write them. I knew Logo and had learned some
Basic, but that surely wasn't enough. There had to be something else. One
day I got my hands on a "Tu Micro Commodore" magazine, and there I found a
strange listing with PEEKs, POKEs, and lots of DATA statements with infinite
numbers. Of course, I started changing the numbers randomly, and sometimes
I was lucky enough to see an effect (other than a crash). The "Tu Micro
Commodore" became my window to the world. I religiously waited for the next
one arrived (in Argentina, from Spain), and read it through many times. I
started compiling together my list of PEEKs, and POKEs, and "Page 0"
addresses. It wasn't until I got my Commodore 128 with its built-in
"Machine Language Monitor" that I finally understood I needed to learn
Assembly... and I did. I got a "Commodore 128" book by Data Becker, where I
truly started learning things. I took it to the beach, and read it back and
forth, taking notes. I remember I learned boolean logic from it, and
“discovered” De Morgan's Law by drawing in the sand. The first things I did
in assembly were things to move sprites. Assembly routines to have sprites
fall with gravity and jump with the joystick's button - different routines
I then put together to make a really crappy platform game. I also had an
assembly monitor for the 64, so I did both. The most “advanced” thing I
remember was playing with the horizontal raster interrupts, to implement
smooth scrolling on a part of the screen. The next for me was to try to
figure out how they were playing sampled music, but then...

    Then I started secondary school in 1988, where they had BBC Micro
computers, using the same 6502 as the C64 and a built-in assembly monitor
too, so, first day at school in front of a BBC I pulled out my C64 memory
map (from memory) of the C64 and started POKEing around... with not much
luck. The assembly did work, so I knew I had tools to start again. I figured
out some stuff but then, very soon, they brought the first PCs to school.
And that was a completely new and unknown world. I was 12? 13? By then. And
even though I was most of the day at school, I still had the breaks and
nights to go, heh. I remember a conversation with my father that went smth
like:

        >>> I don’t know what to do. I know all about the Commodore 64.
            If we get a PC I will be helpless, and it took me forever to
            get my C64 memory map complete. <<<

    I’m not sure what the answer was, but it didn’t really matter. There was
only one way out, starting again from scratch. With no modem and no
Internet. First thing: get an assembly monitor (AKA assembler)... I was
offered a point at Fidonet. Even without a modem, my node pal got me a 5.25"
floppy every day, and I gave him back my messages and some file requests.
Amazing! The World was connecting. I went on like this without a modem for
many years, becoming Richie++ (sorry!). At school I met Futo, the smartest
person I know (sorry everybody else, you know it’s true). Together, we
learned most things and even started our first company: Technique and
Methods. We wrote DOS tools, kinda like Norton (we had TFF to Find Files,
TMD to delete multiple files, TFD to find dups, etc). Then around 1989, we
published “Too much info Two”, a Sidekick help file packed with all the
information we’d gathered, including Ralf Brown’s interrupt list, and other
stuff on PC hardware, PC chip programming, and so on. I really hate that all
this has disappeared. I had floppys until not so long ago... maybe they are
still somewhere. Or maybe Futo has some of it. 

    And then, we finally got our hands on a Disassembler (Sourcer Commenting
Disassembler)! Oh yes, how could I live without it! It was around 1988?
1989? The first thing I remember seriously disassembling was the Stoned
Virus, and from there, it could only get better. I started collecting
viruses, writing my own, reading all the Virus Report by Bonsembiante (a
printed zine), and competing with him on publishing analysis and commented
disassemblies of viruses (though he probably never knew it). At some point
before that I got my first paid programming job, writing a Turbo Pascal app
that had to print a map of the streets marking the water sprouts, in 40
seconds from the moment a fireman picked up the phone, map digitalization
software included. I used predictive typing for the addresses and lots of
low-level tricks to speed up dot matrix printing: success, 40s! Though, I
think it was only sold once.

    The school had some protections so students couldn’t change the file
systems (an INT 13 hook), with Futo we wrote a boot sector “virus” that
saved the original pointer and allowed us to restore it, everybody knew
about it, it was a really friendly atmosphere and they just let us do what
we wanted. That helped a lot.

    In 1993, my final year of secondary school, I joined a university team
focused on viruses (GISVI). The following year, I published and presented my
first paper on writing metamorphic viruses: "RICE - Individualized
Regeneration of Encrypting Code", surprisingly still available online. It
was there I met Beto, long-time maintainer of Impacket and a lifelong
friend. Ever since, he has been my professional cornerstone in security,
somebody I’d keep working with until my last day if I could.

    Soon after that I met the HBO team (Hacked by Owls), via Saltamontes, a
great friend, who also was one of my bosses at the Firemen mapping company.
Saltamontes, LBD, OPii, Janx Spirits, amazing people, together with Futo,
all founders of Core SDI/Security. But just before that, a team of 26+ 
hackers got hired by the Argentinean IRS, a few virus writers, some exploit
writers, system hackers, crypto experts, all in the range 17-19, they (the
IRS) didn’t even know how to legally pay us. They threw us in a large empty
cellar, and just let us loose, until they needed us for something. We
hacked, and coded, and did ftp-mail, and tried Igdrasil Linux as it was
released... It was the genesis of many great things, including Core. Oh, I’m
getting a bit tired of writing, sorry :-/ 

    Ah! Yes! At some point, “somebody dropped a pay phone in a friend's
backyard”, and the  friend, thinking it was an alien device, called us. The
only thing we could think of was to open it and reverse engineer it all the
way, producing software updates and improvements that eventually escaped the
laboratory the day we left the window open. These updates nested in a
payphone outside a hacking conference in Buenos Aires in 1994 to show a
“Manifiesto HBO” in the LCD display of the phone, picked up by local
newspapers. No wait, “the aliens dropped” two [Telecom] payphones, with a
note to deliver one to M. Blaze at HOPE’95 in NYC so he could break the
clipper chip with an alien tool, though he never needed it because he had
his brain to do it. The weirdest part is that the aliens asked us to deliver
a “Telefónica” payphone, which we didn’t have. Afraid of getting struck by
lasers from outer space, we were forced to get into a
drug-dealers-hostage-exchange situation dark at night to exchange the extra
Telecom phone for a Telefonica phone, which was a lot heavier too. So, with
a phone in the backpack, and a hundred excuses that we never needed, we
first went to Summercon in Atlanta to play “spot the FBI agent”, and then
arrived at NYC for HOPE. Luckily nobody bombed the airplane on our way in
(from Argentina), possibly because somebody unknown (unknown but with a
good Spirit) stuck a “BOMB!” (“Boom?”) note in the restroom, and what are
the chances that there are two bombs in a single airplane? As expected, the
police and dogs sniffing around the airplane didn’t understand it was all
for the safety of the fellow passengers.

    And then, Core happened. Lots of magic in the ~15 years at Core. We
“invented” Contextual Access, Zero Trust, SIEM and named it Core Force, a
product that was just too large for us, though we sold it and deployed it
into a large bank, and other places, to then release it open source in 1997.
We did consulting (“Red Teaming” today) for very large companies,
[anonymously] participated in the definition of PCI standard (sorry), broke
things, fixed things, and had infinite fun, growing the team with more
amazing people. We sold $30k of exploits to Kurtz and McClure, who never
paid us (don’t worry, it’s prescribed now) for their pentesting team. We
were close pals to Secure Networks Incorporated, worked on developing
Ballista, then other security products as it was sold to Network Associates.
And then, also sort of derived from interactions with the team at SNI
(Oliver and Alfred mostly?), we started Core IMPACT, a professional
pen-testing tool (a collection of QAed exploits, with a great UI), and
printed the memorable t-shirts “Go Hack Yourself!" (~2001). Core and the
conferences were my travel agency, and I loved it. I got connected to my
idols that turned out to be just people (some of them at least). And then,
I left Core :-p

    Just one anecdote: When we hired Raddy (still going around in the
community as L. Lavarello), he came to the interview with the school uniform
and his mother... Inside the office (downtown Buenos Aires, lawyers office
building) we were playing soccer, the people downstairs knocked at our door
to ask that we stop doing noise, and we opened it shirtless, sweating, with
the ball under the arm, and a serious face to say “sure, don’t worry”...
and Raddy’s mother asking us “please, take care of my son”.

    For him I originally wrote the ABOs, one by one as he solved them, or
had a new idea. Then most in the office were playing, and it made sense to
make them public. I also remember abo5.c was particularly challenging for
many, and one day riq came with a solution he dreamed of: A gorgeous lady
came out of the water and told him the solution, something like “overwrite
the pointer...". The next day he showed up with a solution that was not what
I thought, but worked, so I had to rename it into abo6.c, and add a new
abo5.c before it :-p

    Then came the second generation of exploit writers, with ricnar leading
the pack. I always remember his job interview. It was 2006, and somebody
told me “you don’t know ricnar? What? You have to meet him, why don’t you
interview him?”. And no, I didn’t know him, and I’m still ashamed for not
knowing him. A grown up guy showed up to the interview. He didn’t look like
the revel teenager I was used to. He looked more like somebody who was
repairing elevators for many years, which was exactly what he was doing. We
started talking, and as I had “studied” for the interview, I started asking
questions to see if he really knew what he was talking about: he really knew
all his shit. It was a great interview, and if you’ve met him, you know he
can pull out stories and anecdotes from thin air and keep you entertained
for hours. He was actually fixing elevators, but in his spare time, well...
he just became the father of the Latin cracking scene, and by that time, he
had published around a 1000 tutorials on cracking whatever crossed his
hands. I hired him right there, and I remember I got a bit emotional when he
asked me with shining eyes, “So, you mean I can start working and make money
using OllyDbg? It’s a dream come true!”. He then learned python, and writing
exploits, and of course wrote and published countless tutorials on both. His
technique? When he learns anything new, he has a document open to the side,
and writes the tutorial as he moves forward, taking screenshots, and writing
his thoughts. I’ve seen him in conferences, infinitely humble, while a
hundred different Spanish accents from all around talk to him. I wish I had
the energy to write so many tutes.

    As the scene started to get weird, with 0-days raising the prices, vuln
markets, friends going silent and machine guns escorting me to the toilet, I
needed to exit. Again, I thought: I want to make money doing what I love, so
I started a reverse engineering shop (Disarmista, now under Futo’s command,
doing a lot more than just RE). Luckily a very early customer wanted me to
help them maintain a Smalltalk VM that was long abandoned, but was core to
their product. And they had a fixed idea: We need you to document the VM
(written in ASM) so we can understand it, and we can only understand
Smalltalk code. So, we sat down to write a Smalltalk VM in Smalltalk, to get
a Smalltalk system that could compile itself into executable form, releasing
“iterde” (Iterative Decompilation) stupid-tool in the path. The project is
still alive, now called Bee and evolved into Powerlang, and it’s one of the
things I’m proud and amazed we could do.

    After Disarmista I got a call from LBD, A.K.A. Emi, “Let's do
Satellites!”. He tricked me into a 2 day meeting, sitting in the corner as
“Just a friend, don’t worry about him”, to keep my mouth shut for only 30
minutes as I couldn’t stop thinking (and saying) “what you are saying is all
wrong!” to experienced space engineers (sorry guys!). But well... for what
we wanted to do at Satellogic (true low cost high performing earth
observation satellites) it was the wrong philosophy. It took longer than
what we imagined, but we finally managed to design, build, launch, operate
and sell [50+] satellites and the images of the World they capture. It was
really amazing, again thinking “what? I know nothing about satellites...

    I’ll have to start again from scratch, and my brain is already dead”.
But it wasn’t, it was just sleeping out of boredom, and it woke up to the
challenge.

                              ----------

    Today, I’m still doing satellites, and their security too. An amazing
team. In a way, we repeated a part of Core’s story, in building an amazing
team and culture, really, because the only way of doing impossible things is
to have fun while you do them, and to get surrounded by people that’s
smarter than you.

    I know you likely want to know about how we do satellite security, but
this is getting too long, and it’s too interesting to do a 2400 bps version,
sorry.

    I’m going to stop here, though I went back already a couple times to
insert earlier memories.

|=---=[ Inspiration

    Wanting to do games was the reason I first learned assembly (why would
somebody learn assembly today?). Then viruses and their reproductive
capability really hooked me. Reproduction is one of the main characteristics
of living organisms, I felt then (though virii don’t have opposite thumbs
like Koalas, which have two).

    Reversing stealth viruses I learned there were many tricks only a few
knew, that gave you invisibility. With friends I learned hacking, and the
thirst for knowledge and solving puzzles was just too strong and addictive,
it still is. As for people, I started so disconnected that it was hard to
get a model, though I always say my great teacher was Petro, “just” a
teacher, who was so good at explaining, that you always left thinking you
understood it all and just had the greatest idea of humanity, just by
yourself.

|=---=[ Favorites:

Programming Languages:
Smalltalk and Assembly. Weird, uh? I currently do python mostly every day,
and I’m very comfortable and programmed for money in many languages. But
Smalltalk is my favourite high-level language. I like how it forces me to
think from the point of view of the object I’m currently programming, and
switch to a different PoV as I move to a different class. On the other end,
Assembly. I still love the challenge of building large things with small
parts, and squeezing and squeezing and squeezing. I did manage to find
excuses to do some things mixing the two, and I still think one day I will
go back to continue them.

Pwnie Award: Erm... never followed them, sorry. Did Phrack get one?

Best Hack: Not many, but did I say cracking at all already?

In Argentina, as in many forgotten countries, cracking was a necessity. Many
times, even when you wanted to buy the software and had the money (not very
likely), you couldn’t. So, we were only left to our own devices, likely by
design (as they say, the first is free...) I mean, we had to do some
cracking. During my C64/128 era I just didn’t understand enough, but
entering the PC I realized that I just couldn’t copy a program and install
it at home. So, here comes the cracking and the debugger.

So I cracked a few apps, for myself or to amuse friends, like getting
infinite money in Sim City. But one day I was the first to get the new
version of Remote Access (a BBS hosting software) in Argentina, and it
needed cracking.       

So I set out to crack it. It was a quick job initially, but then I
discovered there was a whole set of functionality that wasn't regularly
available. This gave me the idea of adding even more functionality (some may
call it a backdoor) that enabled a sort of god mode. It took me a couple of
days. The whole time I was telling people 'yes yes, I'm almost there,
cracking isn't easy you know.' When I finally finished, I slightly changed
the banner to identify it easily, and set it free.

Eventually I found a large paid BBS that had installed my version, so I
dialed in (yeah! I finally got a modem!) and activated my secret menu
option. I used a particular username that froze the screen on the server
side but gave me full control over it (basically remote god mode). It was a
lot of fun, and the BBS hosted a lot of technical information that I craved
for. I believe the username was Daniel Calpazzo, which I picked at random.
After I did this a few times, the BBS showed a new banner: “Daniel Calpazzo,
we noticed you are having problems logging in. Please contact us and we'll
help you”. Nobody else knew about the extra functionality, so after I got
bored and stopped using it, they ended up with a very stable Remote Access
crack.

Software:
---------
    I totally forgot before: All sorts of debuggers. Debuggers are the swiss
army knife of hackers. gdb lets you script C, plant in-memory backdoors,
do in-memory cracks, is installed in most systems, and doesn’t trigger AVs
as netcat does (WTF?). But of all RE tools, my love goes to IDA. I
must admit I stopped using IDA regularly just before Ghidra was released,
and I never got fluent in radare or others, though I did use and
contributed to Pedram’s PAIMEI. Still, my favourite software: IDA

Museum:
-------
    A science museum comes to mind first, but I’ve done quite a few, so no.
I like seeing ancient civilizations, and finding (or thinking) how similar
we still are after 5000 years. All anachronistic archaeological findings
really spark my curiosity, but I don’t know if there is such a museum.

Hacking:
--------
    Reverse Engineering firmware to add functionality. Hardware hacking and
Hardware making. I wish I did A LOT more of that. Do it yourself for me. 

|=---=[ Memorable Experiences:

For this issue, just one, or it’ll get too long: It was the last evening
before shipping our third satellite (Tita, for Tita Merelo). It was
unfinished, of course, and we were doing software changes all the time, even
on the satellite systems themselves (no CI/CD, sorry). The satellite had
(has?) 6 Linux systems, and the main Linux guy was doing the final touches,
everybody around doing stuff, and then “MIERDA!”, he shouted, and silence
fell on the floor. All cameras to his face, he was buried in his hands,
frozen in place, not even breathing... so, somebody approaches to see the
screen, and there were 6 sshs, all doing the same with those multi-ssh
things, all reading:

# rm -rf /
# ^C
# _ 

So there’s no doubt:
He rm -rf’ed the 6 Linuxes in the satellite. The µSD cards epoxied so they
could stand launch vibrations, computers screwed deep inside, screws
epoxied, the satellite closed, covers epoxied... only an ethernet cable. The
cursor, blinking... late evening, T-12h to ship the satellite in a box to
the launch site in Baikonur.

So, as calm as we could, we took him off the keyboard, and sat down with
Phil, an infinite friend (that never answers my msgs) and an incredible
hacker-in-the-good-sense (if there’s any bad sense), only known to few. We
both sat down, next to each other, in the mode that we had developed during
nights of “playing games”: One types at the keyboard, the other checks and
hits enter. We started going around seeing what was available

# ls -lR /
bash: ls: command not found
# _ 

# echo /*
/usr /tmp ...
# _ 

Long story short:
though some binaries remained, /lib had disappeared, nothing that was
dynamically linked really existed. 

Digging around, we found a qemu binary on the satellite's ARM system, there
to run x86 binaries. We had no idea why, but it was there, statically
linked, and, luckily for us, it had the gdb interface enabled. That was it.
The problem wasn’t a problem anymore, we had a solution. We just needed to
implement it.

Our plan was to use qemu to launch any binary with a remote gdb listener on
a TCP port. Once we connected, we could inject a shellcode directly into
memory. The shellcode was designed to receive a data blob, save it as a
file, and make chmod it +x. That blob would be a statically-linked rsync.

While somebody ordered pizzas, we gave the guy who did the rm -rf the task
of compiling that rsync. It kept him busy and stopped him from jumping out a
window while we (Phil did I think) wrote the shellcode. When everything was
ready, we took a deep breath... and it was a success! We had rsync running.

Using rsync, we restored the systems from a clean backup. It was well past
midnight and there was still work to do before shipping, but the relief in
the room was notable, somebody played Loose yourself to dance, and I jumped
to dance. We were happy. The next day, 'Tita' was sent off, later launched
into orbit with her Linuxes properly configured and all :-).

As for the guy who caused it all? It was his birthday. His family was
waiting for him at the hotel, past midnight, to blow out the candles. He
kept feeding them excuses because, really, how do you explain that you
accidentally wiped a satellite right before its launch? No matter what you
say, the wife will only hear “I’ll be late, I'm with another girl.

|=---=[ What is the achievement you're most proud of?

    There’s something that makes me proud, not exactly my personal
achievement, more like a group achievement:

    >>> The size and quality of the security scene in Argentina <<<

    Many things happened at the same time, and maybe the Ekoparty was a
bigger contributor through the years, but so many amazing people passed
through Core, for many their first true job (because nobody else dared to
employ them, heh), untamed creativity, infinite thirst for breaking the
limits and doing impossible things.

    Core grew and grew, attracting talent, until it exploded. First I was
mad at us and the people leaving, but with some time I felt how the spores
got rooted in other places, new companies got infected with the culture, and
suddenly the family got back together, and it was larger than before and
amazing again.

    Of course, I should have made a lot of money when we “sold” it, but no,
we just didn’t. I think we got around $5k total (each!). Don’t sign anything
with the big monsters, they’ll just eat you.

    On a different life, I’m also happy (not sure if proud) I could write an
OS purely in Smalltalk (see SqueakNOS), with network drivers, and all.

|=---=[ What is something you are not proud of?

In short, I’m not proud of having contributed somehow to the weaponization
of the exploits and mercenarization of the experts. I remember. Back in
2000-2001 getting in a room with my friends/partners at Core SDI (Core
Security later), to discuss whether we should do Core IMPACT and whether we
should include 0-days or not, knowing we were getting into cyber-weapons and
that our technology had “dual use” (like if a scissor didn’t have
“dual use”).

We had a proposal and we decided not to do 0-days for Core IMPACT, decided
to keep publishing everything we found, and decided to leave a lot of money
on the side (or so we believed). “Somebody else will do it”, “But I think we
can make a difference, and if we can, I don’t want to do it”, etc. I kind of
walked away almost proud of the decision, and stranded by it.

Still, I went on and taught “Assembly and Exploit writing classes” to
customers of Core, once to people of some American agency that couldn’t tell
me where [on what 3 letters agency] they worked, or on a military base where
a siren light played as we walked around and they escorted me to shit with
machine guns, waiting outside the cubicle, literally, as I tried to fart as
loud as possible... as if it would make any difference.

Not sure what if anything I could have done differently, or if I should, or
if what I did was right. I know there are truly good reasons to use
cyber-weapons, still, I’m not proud of indirectly collaborating with
weaponization and mercenarization. I lost friends in the process, as we all
saw the industry changing rapidly. 

Sometimes I think the antisec movement was right: anything you do
contributes to give more power to the status quo (and this is sort of
right), just do your stuff, don’t publish anything. But that’s not right,
that’s pretending you are the only one you can find the bugs you find, and
write the exploits you write, and that’s just not true, it’s the other way
around: if you did it, it’s clear that someone else can do it, just kill the
0-day and contribute to balance the power.

|=---=[ What would you like to see published in Phrack?

Tough question. I still read Phrack, and still love the tone and the
technical content. But it feels like real-world exploits are happening
somewhere else, sorry. The 9 chained exploits to finally get from 0-click
whatsapp to total iPhone kernel control are still private (or maybe I missed
an article, sorry if I did). I get it, they have an unthinkable value, but
that’s for a reason (who can pay that much money for an exploit? Think about
it). So, I’d love to see anonymous contributions describing high valued
techniques, killing them for the private offender, opening them for the
defenders. I mean, if AI is going to leave us without a job anyway
(really?), let's just try to balance things a bit before it happens.

|=---=[ How did Phrack influence you and helped shape who you are?

A lot. Along with other zines, Phrack always stood out for its technical
content. I remember studying all articles on heap exploitation (w00w00’s,
MaXX’, the anonymous one) nergal’s article on ret2libc and klog’s on frame
pointer overwrite, grugq’s ELF article, and his and scut’s on ELF
encryption, and many more that I now recognize browsing the online issues.
I used to print those articles and read them over and over. I even carried a
few of the original printouts with me through many moves over the years. A
few months ago, I found the stack and finally gave them a new life.

Reading all the tricks, understanding all the different points of view,
finally helped me develop the instinct that a bit is just a bit, and all the
meaning is in the observer.

And I figured I’m not a lonely weirdo who ENJOYS squeezing the constrained
options a vulnerability offers to conquer the execution flow. We are legion.

|=---=[ What is your favourite bug/exploit?

I sadly forgot many, I feel the empty space in my memory. Let me try a few.

== CVE-2004-0368 - dtlogin double free.

Not the vulnerability, but the exploit. I was writing exploits for Core
IMPACT, and need to get it to work always. It was tricky, because getting
the double free to do a write-anything-anywhere depended on the heap state
which has to be assumed dirty, though who used dtlogin? Target: Solaris
running on SPARC. It was also a great time, because one of my friends-idols
Halvar was in town visiting, and sitting in a crappy chair at Core, working
on his bindiff, showing me early versions, and introducing me to yED (thanks
for that!). So, I had the problem of getting a reliably heap exploit, and I
started logging all traces (long life dtrace & truss), but it was impossible
to follow in text, so I hacked a GUI to show heap movements (eventually
released as HeapDraw / HeapTracer just when Alex Sotirov released his Heap
Feng Shui with an obviously much trend name). Also found how to turn the
double-free in an information leak, that allowed me to get pointers
(read-anything primitive), to finally get a very reliable exploit. I
remember how I enjoyed writing the exploit and the power that a new tool
gave me, we needed lots more tools! Oh, wow, writing this I found a
screenshot of HeapTracer showing dtlogin’s heap, I can’t believe how I
remember the shape and what each block is. Yeah, this one definitely
deserves a mention.

== CVE-2001-0550 - wu-ftpd gobbing heap overflow (arbitrary free)

Oh my god, that was a good one, the advisory even names Phrack 57! This time
is the exploit, not the vuln Not my own exploit though. I had a quite
reliable exploit, if I’m not inventing my memories, but it was
irc.segfault.org golden times, and I was there with amazing people.

That’s when I met MaXX, one of my favorite Phrack authors, who wrote on Vudu
malloc tricks, but who clearly understood free() tricks too. We then worked
together and are good friends, those were some of the best times. He showed
me his wu-ftpd exploit (or maybe he took my unfinished crappy code and
turned it into art?).

Anyway, for it to work, you had to craft a globbing pattern (*.*) so when
expanded you got an arbitrary free, and you could write what you wanted
where you wanted. You could be lazy, like me, and bruteforce the right
count ~{,,,,,,,,,...}, or you could really think about it (like he did, and
just remembered now), and figure out that if you could do more than a single
write and if you expressed the count in prime factors, you could have a
really compact globbing pattern that got expanded to overwrite really large
area. So yeah, he taught me art is a way of living, among many other things.

== CVE-1999-1085 - SSH CRC32 compensation attack

The original vulnerability (yes, I’m old, what can I remember if not old
things?). The vulnerability is that, without knowing the cryptographic
material, it’s possible to craft an ssh packet that will pass CRC32
validation in such a way that it allows a MitM to insert “keystrokes” in
the ssh stream. It’s a quite complex (at the time) cryptographic attack
that, with exploit in hand to demonstrate its power, forced all ssh
implementations, in every device and distro, to be updated with our code, as
we were starting to be known as Core SDI. Great score!

== CVE-2001-0114 - SSH CRC32 compensation attack integer overflow

Yes, almost the same name as the previous... It turned out that the final
patch for CVE-1999-1085 had an integer overflow vulnerability, which was
exploitable to get root access to any ssh server using the code. The exploit
was assigned to me (I was assigned at the time :-p ) and it turned out to be
really challenging. At some point you had to exploit the original
vulnerability, luckily I had the original exploit from 1998 by Futo and Ek,
so I didn’t have to break my head doing it. I got it working, and some time
later I found another exploit in the wild (I knew it as x1), that was very
similar (but previous apparently), and had a different solution to the
original bug. My total admiration to whoever solved the CRC32 compensation
to implement this other exploit. I remember I was really afraid we had
inserted this bug in every device, and at the same time, I wished we did it
on purpose. So I went down fishing the original email exchange to find that
it was the original ssh team, when converting from ANSI types to their type
notation, that inserted the bug, but we didn’t notice they had changed it.
Or maybe we did but didn’t say? I don’t think so, I should remember!

== BUGWEEK

Ah, what a great time of the year! We used to take a week at Core, every
year, so everyone in the company (yes, EVERYONE), got in teams to find
vulnerabilities. Many stupid and great advisories came out of it. I remember
one in MySQL authentication that required solving some geometry problem for
exploitation.

== BUGDOOR

A hide and seek contest. Another great time of the year, though we only did
it a couple times. It was a competition where everybody got a task (say,
“write a software that does this and this”), and had to hide a bugdoor
(AKA backdoor). You got points for finding out other people’s bugdoors, and
got (negative) points for each one that found your bugdoor. Go play it!

|=---=[ Will mitigations eventually make exploitation impossible?

Hah! We asked ourselves the same question in 2001 with StackGuard and
StackShield, but the answer was obviously “no” (see papers). Then again
with ASLR, x^w, stack canaries, heap canaries, pointer canaries, guard
pages, virtualization... I don’t think it’ll make it impossible, but it has,
already, made it hard, and that means, more expensive, what means: only for
a few that can pay for it.

As a user, and friend of users, and worried about users, I’m all for
protections. I think it does make a difference. It raises the bar, and makes
attackers really think before attacking. There’s more chance of being
detected and of getting your exploit or technique screwed.

This all is “good”.

Bad is that it’s harder and harder to get started in exploit writing, and
less and less satisfactory as you learn. When I wrote the ABOs back in a
forked past, there were just no protections. It was easy, the challenge was
in figuring out how to use the hidden menu option (AKA exploit the bug). But
then, as we used ABOs to warm up new exploit writers at Core, it got harder
and harder. I loved seeing the solutions running on newer and protected
operating systems. Many times, completely different from what I originally
intended. I can’t think what somebody starting today could do with the ABOs
running on a current OS. So, bad: it makes it harder for the general public
to learn exploitation, it raises the bar, it makes it more expensive (needs
more time to dedicate, and a serious interest). It may require dedicated
training camps, and paid students.

Bad is also that once you know the techniques, writing a particular exploit
is increasingly hard (the 9 chained bugs to get root), which makes them more
expensive, i.e. only for a few.

So, I love protections, all my serious admiration to pipacs, the pax team,
and all his other handles (see Phrack 62), for pushing everybody else to
think on OS protections, including Theo and Microsoft. But protections leave
space for power inequalities, as the fewer who can bypass them, have more
power than before... no, I don’t see any solution, sorry.

Will they make exploitation impossible? Yes, for many they will, for others,
never.

|=---=[ Would you recommend newcomers to contribute to open source projects?

    Totally! Why not? I wish I had time and energy to do more of that. I’m
all for full disclosure, even of exploits. And all for contributing.

    Contributing back to OS is sort of the easiest way to get your code
maintained :-p (not quite). Commercially you may think that “giving up” your
code for free is not a good idea, but it comes back, and sometimes
surprisingly soon. It’ll get you a job, that’s for sure, but it could also
become an income by itself.

    But then, also, and more seriously (if anybody needed to get serious),
it’s fine to do things just because you can. We used to answer exactly that

Why do you do that?!

                         >>> Because I can <<<

    Technology has a significant impact. At some point, I began thinking
about how my work could help people and make their lives better, even just a
little bit. You never know what people will find useful, and the feedback
you receive when you release something is a great feeling: the realization
that someone is actually using what you created.

|=---=[ Your opinion in the infosec scene now vs then

All mercenaries. Don’t get me started. Not really, not everybody. But that
catches my feelings. When the big money entered the scene, we all lost
friends and stopped sharing as much as before. The flow of information
slowed down, though we still have Phrack, Ekoparty, H2HC, Defcon and the
others, it doesn’t feel the same. Maybe the great techniques were always
kept secret and surfaced only 20 years later, but it seems worse than
before.

Science and technology can have real-world impact. If you saw the movie, you
believe scientists were aware of the impact of their research, some rebelled
against it, some understood the consequences but decided to do it anyway
(for their reasons). But it seems they stopped to think. Are we thinking and
discussing it at least? It’s only mutually assured destruction that still
today keeps us safe, so maybe that’s what we should aim for: democratization
of hacking and espionage tools, to keep the balance.

It’s not fair, there’s still a lot of people believing in full disclosure
for a better World, and they do a great job at it. My special admiration and
respect to “The Qualys Security Team”, who keeps showing art and dedication
in every single advisory.

My respect too to Google’s Project Zero. There should be an invite only
conference on 0-day hunting, where these heroes share their experience and
fishing techniques. Kill the class, not the single bug, or better fix both.

And Kill the 0-day!

|=---=[ Your opinion on conferences?

My last one was H2HC/24, and yes, it was big, with lots of people, and I
loved it. Defcon has gone huge a long time ago, and it has always been a
matter of luck to catch a good talk without missing another, but it’s
usually easy to find somebody interesting to talk to, if you are willing to
let it happen. Though maybe too many things happen around and outside the
conferences, and that’s completely out of reach for most of the mortals.

So, maybe, short version: Abolish all “product sales” talks, get demanding
on technical content, and squeeze in a few talks that make the audience step
back and think at a higher level. Then turn on the music and throw a party.

Oh, and more hardware, we need more hardware and to simplify access to
hardware hacking!

|=---=[ Recommendations

Technical Books:
  * Phrack. 40 years of fun and profit. Hard cover.
  * Computational Geometry - Algos and Apps ( <3 sweeping line <3 )
  * Thirty Years Later: Lessons from the Multics Security Evaluation

                     
Non-Technical Books:
--------------------
    I have a serious problem and I can rarely go past the first couple
chapters of non sci-fi non technical books, though I keep trying. So, my
short and totally unfair list (of not so known books): Babel-17, ME (by
Thomas T. Thomas), maybe Rainbows End and Makers more mainstream and “Tlön,
Uqbar, Orbis Tertius” (my favourite from “Ficciones”).

|=---=[ Reflections


Hacker Spirit:
--------------  
    Understanding how things work, finding a way around limits, and sharing
it with others, to make understanding easier, Loop. The three things
together. On the attackers side, there’s too much money for a healthy
competition and open sharing, MAYBE it’s easier on the defender's side.

Kill the 0-day!

Exploit Industry:
-----------------
    The monetization of the vulns and exploit has clearly made the power
imbalance even worse and broke the flow of information. The way out IMHO, is
to double up and openly share even more. It may get worse at first, but
it’ll be positive at the end.

     
Career Burnout:
---------------
    I left security to go do satellites, to then come back. It was also
great to move to the defenders side, and see things from a different PoV.
Don’t be afraid of going out of your comfort zone. If you love learning and
doing new stuff, then, do new stuff and learn. ¯\_(ツ)_/¯


|=---=[ Insights

Hacking Milestones:
-------------------
    Learn assembly and solve all CTFs you find online, before 20. Write
ASCII self decoding shellcode, extract data from a blind SQL injection,
write a remote shell client-server over a non-standard protocol (icmp, dns,
etc), use gdb to install a backdoor in a running nginx and OllyDbg to do the
same in Windows, without touching the filesystem, implement a known
Cryptographic primitive, understand rainbow tables, implement a TCP/IP
stack, solve some of the advanced cracking challenges by ricnar and most
ABOs, write a remote heap overflow that always works, reverse engineer an
unknown server with crypto back to C, implement its client in python... all
before you are 25.

IT’s not my story, but a HACKER needs to be the best in every discipline, or
keep trying. And remember, with great power comes great fun, and also some
responsibility.

Nontraditional Hacking:
-----------------------
    Lying when they ask me for personal information they don’t really need.
It’s stupid, but it takes practice to lie when they ask your name or your
birth date, and you may need to remember what you said: practice it, pollute
DBs. I also love hacking toys for my kids (adding a RC, etc) and fixing
things that broke.

The "Art" of Hacking:
---------------------
    Understanding things better than their creators to find the
                     hidden menu options they didn’t know they put there.

|=---=[ Personal

Other Interests: Electronics! Woodworking. Making things. Creating Tech.
     Philosophy: If it has a solution, it’s not a problem. And if it
                 doesn’t, why worry at all? Carpe Diem, totally, during the
                 night when I’m statistically more productive.
          Zines: Conferences are ephemeral. Zines are forever, and the
                 articles are usually well thought. A blog is fine, but
                 without an editor pushing you to get it done, the quality
                 degrades over time.

|=---=[ Quotes

Yes: Backticks, please, best quotes ever.

And maybe:

    “I want room service!” - standing on a pile of trash.

Though the written story is better than the movie.

|=---=[ Closing Thoughts

CALL $+4
RET
POP EBX