Sunday, March 20, 2016

Ricardo J. Rodríguez: "I'm in love with assembling"

Ricardo J. Rodríguez. PhD and professor of Computing Language and Systems in the Zaragoza University.


Ricardo J. Rodríguez is a privileged mind from his watchtower in the Zaragoza University, where he's researcher, professor and PhD thanks to his thesis called, watch this: "Performance Analysis and Resource Optimization of Critical Systems Modelled by Petri Nets". He's 30 years old, a girlfriend and two dogs "are his true loves" and he goes to the CONs, giving conferences of inverse engineering. But... it's better if he continues:

"I love cinema, crime or science fiction novels and the mountain. I also love investigation, what makes more than one discussion at home. I'm too perfectionist, language extremist and stubborn as a good "maño" (from Zaragoza). Mathematical and theoretical computing lover, obsessed with the P vs. NP.  I love to spend my free time relaxed. Animal lover and sometimes a little sullen with determined humans. I don't like sleeping more than the necessary (6 or 7 hours is good for me), I like to exploit my time as much as possible".


- An expert like you would have job offers of all private companies. Why do you stay in the University?

- This is an usual question between my profession colleagues and myself when I see their benefits compared with the benefits of the university environment. Basically, I like the academic environment related to the kind of work I make. I love teaching and I love (even more) investigating. And above all, I like to know that with my work I contribute to science, knowing I'm helping to improve the human knowledge. I like the way of working on investigations, the creative, innovative and independent character.

I'm happy thinking in a few years someone will start to investigate something, and maybe he would find an article of mine and he'll think it's interesting to continue this investigation line. Or even it will inspire him a new and radical idea. By the contrary, it would be the beginning to investigate another thing. Or he'll only say my vision was incorrect and he'll give better one; or he'll contradict a theorem and he'll prove it with a counterexample. To use it to advance and investigate more.


Anyway, I'd like to use this window to tell to those private companies interested on me I'm open to collaborations. I'd be pleased to close some project on the medium/long-term with some companies to help them with some particular problems they want to resolve. Instead of paying me X money, why not close a project of one, two or three years with the price or any more to grant a person to collaborate with me and then hire this person? Something seemed to the university-company model on USA.

-I suppose this mad mad insecurity cyberworld should be seen in a calmly perspective from the university...

-Of course, it doesn't exist the same pressure/madness suffered in an IT/administration system department. You see all from another prism, as you say, you can take it calmly... basically, this means the majority of people of this university environment is unknown (generally) by the world of cyber(in)security; as same I ignore the peculiarities of particle physics. In the University, at the end, everybody is "expert" and only know their particular field, unknowing the rest.

-When and how you were seduced by cybersecurity?

-Well... it was in 1999 and I was interested in hacking/phreaking. I spent my time in computing courses on an academy (my first steps with QBasic) to download all the material I could, which I read later in home. However, as I haven't Internet at home, I couldn't test many things, so I started to focus in the viral part I could develop offline. I remember line to line the code assembling of a virus, assembling itself and creating the binary in a rudimentary way in which a failure "provoked" I had to start again. But when I made it I felt like a child with a new toy :).

My next step was leaving behind the script-kiddie and learning to assemble x86, to understand the instructions of the critter. A friend of mine had bought the video game Alien vs. Predator for PC. I convinced him to lend it to me and I made a copy of the CD. But the damned game detected it was a copy. I always had downloaded the cracks and I never had to investigate what was behind. As I couldn't find the binary version I needed, I started to look a little more in this matter. I discovered it was called "reverse code engineering", and I kept looking... And I made my own patch to this game. It was easy, because I had already studied the assembler code previously. I joined after in a Hispanic reversers group, CrackLatinos http://hackstory.net/Crackslatinos(to whom I send my best wishes). I started to look another games, another binaries, learning about packers, obfuscations and all this...

Since then, I'm in love with assembler and all it can made when you understand what makes the computer when it interprets bytes. With a strong inverse engineer and assembling theoretic base  I have moved to another application fields as malware analysis or exploiting.

-¿And now, concretely, what is seducing you in cybersecurity?

- In low level matters I'm focused in POS malware and analysis techniques with graphs. I developed my thesis in formal modes (Petri networks) and security specifications, I always try to apply this theoretical knowledge to another application domains... malware analysis in this case.

In model time, among other things, now I'm working in model how is an APT and how it interacts with the machines of an organization, with the objective of analyzing how different security politics can help to reduce the problem.

-You have an amazing CV, where the inverse engineer highlights but there are also different matters.

- At the end, I'm (we are) a "research mercenary". During my thesis, someone investigated what your director said. When you finish the thesis, you investigate what the man who pays your investigation says you have to investigate. It's impossible to investigate what you really want to investigate if you don't get financing for that :( This dispersion of topic is caused because I'm very curious. I like to research something, exploit it, and when it's done, I move to abother thing. This is the result of why I  worked (and work) in many matters. As my girlfriend says, I have to learn to say "no" if I want to get 50 years old without health problems: the problem is I always say "and why not?" :)

I would like to highlight my main researching activity is basic science, not applied. And in this cybersecurity world, it's more followed the applicability than the base science.

-Yo have been couple times in the MalCON, celebrated in Mallorca. Can you tell us something of this Con, possibly the most "public but secret" of the country?

-Well, I can tell you something... but a little bit :) A great Con for people interested in malware analysis, where we talk about bugs and interesting cases and where, unfortunately, I never have enjoyed of a moment to go to the beach... because always rains or it's cold! :(

- Which part of the malware world do you like more? 

-The bootkits (I enjoyed as a kid in the last Skuarter chat on the Rooted, thanks Abel!!). More than a malware part, what I like more in the packers matter, concretely this tricky custom algorithms of compression/decompression upon request and multi-layer.

- When I started to use computers, 30 years ago,  virus already existed. Today we are still having virus? Will we ever get us rid of them?

- I answer you with another question. When I was born, 30 years ago, there were kids who suffered because the adults wanted to play war, kids who lost their family, moved from their homes, were abused by bad people. Will we ever get us rid us of this kind of people of our society?

The evil is a human condition. The computer is another weapon to do evil, but in another way. So if there exist people who benefit from it (in a economic way or only being happy screwing other people), the malware will exist.

- I see in your website you're now interested in critical infrastructures


- I'm starting to see things. I've seen practically the majority protocols designed for system communications, initially on isolated networks, they didn't think in security and they are vulnerable to many attacks (spoofing, DoS, etc.). Secure protocols proposals exist for these environments, so the field isn't very bad... although it exists some infrastructure without being fixed and which malfunction could be pretty bad, and it will surprise us in the next years throwing up our hands.

-Schneier gave a pretty apocalyptic speech on the RSA Conference, about the nonexistent security on the network and now in the SCADA systems and Internet of the Things. It seems there is a lot of work to do... where do you would start?

-Bufff... I would start for (in my opinion) the most critical, the SCADA systems. Through there, I would start to look other things. The IoT, as Raul Siles showed us in the last Rooted, it will be interesting.

- Would you work for the army?

-Provided that my knowledge would be applied to defense and not to attack, I would do it.


Text: Mercè Molist

0 comments:

Post a Comment