Tuesday, April 12, 2016

José Carlos Norte: For many years the only thing I programmed was malware

José Carlos Norte. CTO of EyeOS company.

José Carlos,28 years old, is one of these self-taught hackers with the curiosity worm in his blood and he doesn't stop to investigate, although he is the CTO of the EyeOs company, pioneer on virtualization and today property of Telefónica. Recently he has discovered that thousands of trucks, ambulances, trucks, vans and other fleet vehicles use brand devices to communicate with the central to allow geolocating them, stoping the engine and other remote outrages.

With this discovery, José Carlos has appeared in the worldwide media. Isn't the first time José Carlos appears in the media although the first time, when he had 18 years old, was unfortunated. He remember it with a mix of sad and proud: The Civil Guard arrested him, accused of leading a young boys group who "defeaced" websites of different media. He had to wait 8 long years to be judged and paid a 60 € penalty.

- ¿How did the script kiddies group start?

- It started being of script kiddies, created when we were 15 years old. But there were 3 or 4 people with a pretty big talent, who today are high positions in companies related to computing. Imagine a kids group which evolve until the matter get serious. Really serious. With the talent we had, we could do many things: we developed our own exploits, we spent weeks auditing software to found 0days and to increase our intrusion capability...

Álex Fiestas was there, he was KDE developer and an important member of its community, and also Sergio Arcos, who worked for Blueliv (security company from Barcelona) and then he went to Japan, where he leads a technical team for other company. Many things we made there are unknown yet.

- For example?

- We made this to learn and have fun. We never earned money and we didn't want it. We were a teenager group with talent, free time and no mentor, discovering the world, understanding how the things work and, as consequence, breaking things all the time. We made a lot of silly things, but over time the matter got serious and you don't know when it happened, but you start with keyed quotation marks in the URL and creating malware on Visual Basic 6 and you develop your own exploits for 0day bugs founded on software like Apache, Samba, etc.

We were dedicated to few things. Our main activity were software audits, creating specific hacking tools, reading all the news, developing exploits and trading with them in exchange of other exploits... Actually, I learned to programming auditing software and creating malware. And that made me understand a lot of things in a different way. Along many years the only thing I programmed were all types of malware and security tools.

- ¿How was your detention by the Civil Guard?

-  When I was almost 18 years old, the group was disbanded. People started to study on the university, some worked, others had girlfriends... I started to work as Java consult on a consulting company on Barcelona with my best friend, Álex Fiestas.

I only passed 2 weeks on the company and one morning my phone rang and it was my mother. When I answered I only heard: José Carlos, what have you done? The Civil Guard is here, they are following you! later, I heard: "Mrs, hanging up the phone, you can't warn nobody!" and the phone call was cut off.

I was blank, literally. My hands shaked and I couldn't get up of the chair. I tried to talk with Álex, but I couldn't talk... Finally we took a car and we went together to my home to see what happened. Through my mind passed thousands things; with the group we made many things  and I didn't know the reason why they had went to my home... When I went, there were Civil Guard cars in my home. When I entered in my home there were a lot of people... judicial helpers, police officers... all the civil guards were undercover, but they were armed.

When I went to my room there were 3 or 4 people cataloging, labeling and storing everything on bags and boxes. They scrambled all my room and they took any electronic thing. A police asked me directly: " Are you José Carlos Norte alias XXXX alias XXXX alias XXXX?"... I didn't know what to answer. I said yes, doubting.

He asked my ID card, he took it and he said me: " You're under arrested, Do you know your rights or do you want I explain them to you?...". After that he repeated the same process with Álex. He always has regretted of join me that day. It was like a film. When I went out of my home to go to the quarter, I went with two Civil guards, but they didn't handcuff me. I were under arrest from 12:00 p.m. to 1:00 a.m., isolated in a cell and, from time to time, they got me out to talk with me, like in the movies.

- What does a hunted hacker feel?

- They arrested us for a great stupid thing, one of those silly things you made one day, you didn't pay attention and didn't take any security measures because you think it's a silly thing. That's why I never considered myself like a hunted hacker: I consider myself a young self-taught who experimented on Internet a few years. One day I made a foolish thing without paying attention and they arrested me, but nothing more.

The Spanish Police hasn't got resources to locate and arrest to nobody who want to hurt somebody on Internet in a organized and professional way. The hackers detentions always have been young boys groups who are experimenting who make the fool and get neglected. Or traditional criminals who clone credit cards or similar, or boyfriends who spies to their girlfriend with bad malware. I met in Spain many people with botnets and spectacular operations, which under the Spanish legislation would be prosecuted and they are never going to be arrested because they use sophisticated resources.

- Today you are the CTO of EyeOS, ¿how did a hacker who had legal problems get this high position?

 When I got arrested a civil guard called to my work and they fired me. I never understood the reason. I had notgot a job and I started to follow what to do and I found EyeOS. In that moment it wasn't a company, it was Pau García Milà and a friend who were making an experiment. The first thing I made was to audit it and it was full of security holes. Pau and I become friends quickly.

One day we met and he proposed me to join them. I said something like: "Only if you promise me I you won't program again", because that was a disaster. I started to live in Pau's house, or in the office. Then EyeOS became in a company and the rest it's a know story  :)

- I saw you released the EyeOS code.

- We released one of our most important intellectual property pieces as open source, a web client and a virtualization project. In the future they will be more news related with EyeOS and free software.

- Recently you has discovered some trucks are hackable and you said to the media before warning to the company. Why?

- For many reasons... First of all, the Penal Code reform criminalizes ridiculously the hack making really hard to create a collaboration legal framework with the companies in this matters. The more they criminalize hacking, more tricky is the collaboration among independent auditors and companies. With this the only winners are the real criminals: if the security information doesn't flow and the independent auditors can't collaborate with the companies better, because all is more unsecured.

On the second place, I'm tired of companies ignoring this things. I believe in "full disclosure" to press companies to correct their security problems. This company, which I have talked, has run to patch everything and help their clients. In 2015, a security auditor published a theoretical PDF about the same devices I founded exposed on Internet and they didn't pay attention. What I published it's only the 1% of what this auditor saw, but only the thing I have published has been solved.

If you combine the facts of the companies ignoring or answering defensively to independent security auditors to the law which persecutes and criminalizes hacking... the only possible scenario if I found a vulnerability is, or you pay me a reward, as Google do, or I publish it on Internet and that's all. And I question myself: if it exists a responsible way to do that, why is it increasingly criminalized?

- Isn't dangerous to do it like this?

- It's more dangerous don't saying anything and leaving those trucks insecure.

- Finally: What quote would you take to a desert island? 

- "History never looks like history when you are living through it" John W. Gardner.

Text: Mercè Molist


Post a Comment