Sunday, July 12, 2015

"I have written more than 300.000 code lines for Radare"

Sergi Álvarez, creator of the open tools for reverse engineering suite Radare.

Sergi Álvarez, 32 years old, is incredible in computing, a privileged mind whose conversation can be so technical that it seems he will end talking in compliler language. An old acquaintance of hacker community under the alias of Pancake and Trufae, in 2006 he decided to create a tool to recover deleted files from a MacBook G3. There started his adventure and the biggest free infosec project created in Spain: Radare, a tools suite for reverse engineering.

Legend has it that, when Sergi started to frequent hacklabs, some assiduous were debating about the best mail client, and the young newcomer responded with innocence and amusing all the attendants that he was using a client written by himself. Today we can see part of tis pure hacker work in Github, with his own working projects as Valabind, ACR, SDB and the main one: Radare2. Without forgetting his involvement in the Bitcoin revolution, the key-value base, FirefoxOS, Frida, Fuzzing, NodeJs... and he still finds time to earn new languages, like Rust.
Which one was your first computer?

A Sanco 4004 with a CP/M operating system, bus it was with a 80286SX when a started to program in QBASIC and later in assembler. I amused my self disassembling virus codes, downloading them from different BBS, learning their tricks and writing detectors and false infecters to avoid their spreading. I have a lot to thank to no$dbg and :) But a virus never got out of my house. I reached Windows 95 and then moved to Linux, leaving behind all the related with privative and closed systems, because they forced me to take may hands out of the keyboard to touch a mouse among other reasons. Now IOS, OSX and Android fill a big amount of my time.

You participated for three years on the Desfcon´s Capture The Flag (CTF) contest with Sexy Pandas. You still participate on it?

I enjoyed it, but it was quite stressing. Lately I prefer to invest my time researching or developing "real" tools than solving artificial problems.

Three indispensable things you should take to a CTF?


Talking about Radare, are you happy about it success?

The project is nine years old, but I´ve spent seven years developing  and talking about it without much feedback. Now it´s when it´s becoming known because people who is giving lectures throughout the world has joined the "core team". I suppose It´ll be my turn of speaking in English in a public lecture sooner or later! 

 How many Radare code lines are yours?

In Radare2, which is the restructuring of the prime code, about 300.000, a 60% of the total. In the old Radare 90% of code was mine.

When a project grows bigger you can choke on the "administrative" issues. Would you like to hide in a cave to write code in peace?

Radare is evolving from a personal to a community project, were the users base is increasingly big and demanding, but with more contributions at the same time. Besides, due to the project´s scope it´s easy to break things without noticing it, so it´s needed to check, teach, document and discuss every one of the added contributions...

Of course programming is more fun, but after nine years writing code for Radare almost every day and seeing how it grows, how people from all around the world knows it... it´s like a child and I feel responsible of keeping with it and making it better.

You are mobile security analyst at NowSecure. How should the smartphones be developed to make them safe?

The main mobile operative systems evolve more quickly than the desktop ones and have focused on the market growth to gain terrain. But it reduces its security and, much more important, the privacy. The present stage take awareness of this reality an centers on enhancing security. But security depends not only on the operating system, but also on the device and the communication channels (GSM, Wifi, NFC...), because hardware uses to be closed and can´t be updated, which adds serious unsolvable weak points. It´s also important to educate users, simplify and add more secure default configurations to the devices.

You founded CatHack! in he 90`s, the first hacktivist group in Spain. Why hacktivism.

We did no defaces or DoS in CatHack!, but we were involved in libertarian ideals and it´s reflected on our publishings, in which we not only talked about HPCVA but also about politics. Unfortunately, too many times hacktivism is only associated with cybervandalism.

I think hacktivism is important to warn about the  misuses of power, as the approval on control and censorship laws aimd to criminalize anonymity, the development of tool for finding vulnerabilities and even express your views on social networks. Internet started as a free space, but governments and companies are breaking this ecosystem. Hactivism uses digital media as tools to make public this situation and fight it.

I tell you a word and you tell me what comes to your mind: Anonymous.

First of all, 4chan, and after the intense year with LulzSec, Sony´s hack, memes, YouTube releases, Wikileaks, NSA, VISA´s block, the raise of Bitcoin, the arrival to the "mainstream"...

You have a couple and a daughter. Are hacking and family life compatible?

Family, hacking and work require many hours and if you intend to sleep too... it´s not easy. Luckily a an understanding partner and the chance of working from home with  flexibility of working hours helps a lot. However, it´s not easy to have all the hours without interruptions I´d like to have and I use to go to sleep rather late ... Github betrays me :$


Post a Comment