Monday, April 25, 2016

RoMaNSoFt: "A good defender should have been a good attacker already"

Román Medina-Heigl Hernández. Cybersecurity Engineer for Repsol YPF. 

Román Medina-Heigl, better know as RoMaNSoFt, has earn a place in the Spanish hackers pantheon. His curriculum begins at the beginning of the "underground" times, when hackers showed off proudly the computing pirate flag. Then he came to light, writing a best seller of this time: the "IRC War tactics". And he hasn't stopped.

Today his most known location is the Int3pids group, warriors of the hacking contest from Russia to Las Vegas, passing by Korea. Sometimes too much punctilious (as a good hacker), relentless and flawless critic (which gave him great friends and enemies), Román lives today as yesterday in the periphery of the Community present, in a BatCave where he receives to another great and dark hackers who are still there, without making too much noise, but very careful.

- ¿Where does your nick came from, RoMaNSoFt?

- When I was young I sold games and all kind of "soft"(ware) for Amstrad CPC 6128 and that was my nick. I must say for me never was a business but a hobby, because the little I earned I spent it in more soft. But this allowed me to have all the ultimate and meet people and, of course don't lose nothing in security.

In this time (they were several years), I had different computers: Specturm, Amstrad CPC/PCW, Amiga 500 and finally a PC. And I always used the same nick for all, even in my pass in the "demo-scene" of Amiga (Amiga Rules!! :-)) and finishing, obviously, in the hacking scene, where maybe would have been more "cool" using another nick. Despite of all I decided not to change it. Finally, what matters is the person, not the nickname.

- Many hackers left University in the first course. You did not?

- The University helped me, among many other things, to wake on me this curiosity about cybersecurity, and it allowed me to access to resources (workstations, networks... and even Internet) which in those times (almost) nobody had at home. I could say I studied two carriers: the official (Telecommunication Engineer) and unofficially all the Unix box I had and I spent hours and hours on the CdC (Calculation Center) "playing", what is (in my opinion) how you learn really.

- You became famous when you wrote "IRC War tactics". Was these wars your first contact with the cybersecurity?

- No, mi first contact was in 1993, when I entered the University, I had access to interconnected multi user systems... and why not say that, easily hackables. The upcoming of Infovía (1995) also gave much game and many funny nights within and outside the IRC }:-). I think the first doc version of Tactics is from 1997.

- ¿Is cybersecurity like a war?

- It's a discipline (and for some "crazy people" like me, our passion), it can be used for good or evil. It's also the offensive part as the defensive part, because they are completely related. I can't imagine a good defender if he hasn't been before (or he is) a good attacker. And vice versa.

Actually, you haven't left wars, now with the Capture The Flag (CTF). Is the same feeling  winning a challenge in a CTF contest and assaulting a external server?

They are different sensations (but both have a "high"), as well the implications :). Assaulting an external server (without authorization) is illegal and you can go to jail. I must say long ago it wasn't illegal (it was a legal leaf) if you didn't make damages and didn't benefit with it, and that was basically the only possible option to learn (it was the similar as possible to a CTF because it didn't exist).

- Is learning  the same on "the fire" than simulated?

-Not exactly but they complement themselves (and in some points they intersect). In real fire (like attacking a host or network), the attack field is relatively large, while in a CTF problem the field is delimited.

To put an example, in the first case you have a "regular" house (with its windows, doors, fireplace, etc; without special security and you have to enter; in a CTF the house they give to you is small, it hasn't windows and fireplace, and the door (a priori the only way to enter) is completely sealed. The ways to focus both cases are very different (and cause that, you learn different things).

Partying with the legendary hacker Kevin Mitnick
In the first case (for example, during a "pentest") your usually follow a methodological focus, you use tools to automate scanners or which include a famous exploit/techniques repertory and the trick is to launch, in the shortest time, the biggest number of attacks as possible, in decreasing order of success probability, until it works.

In a CTF challenge, the attacks use to be manual and focused to exploit a particular vulnerability (sometimes you have the binary or the source code to exploit) but in hard conditions (or even a corner case hard to see or exploit). There are many CTFs, but we would say *generally* they are usually more complicated and they usually require more advanced knowledge than, for example, a pentest or traditional attack (it could be hard too).

- Will we see  peace on cybersecurity some day?

- I don't think so. Always we'll see attackers and attacked :) However the technology evolves, it will always exist at least a exploitable vulnerability: the human factor :) (The DARPA -Cyber Grand Challenge []- attracts my attention because the objective is to built totally automated systems which will attack and defend themselves automatically).

- You were a highlight member of  !dSR, one of the last groups of the Spanish old school. You were critic with the cybersecurity industry. Why?

- !dSR was an atypically and "chaotic" group. We were nothing more than eight friends sharing the same interest about cybersecurity and we used to join together usually in some pub in Madrid to talk about our "struggles". From time to time, some of these "struggles" were published like !dSR and we shared some laughs }:-)

This doesn't mean all of us agreed with some actions or those were joint. In the same way, some of us were more pro-whitehats (my case) and others.... errrrr, less :) Sincerely, I think the people who defend the "Project Mayhem" (anti-whitehats) did it more to do something wild than for real reasons.

Today, !dSR exists as a private email list, with 80 members a few activity, co-administrated by "crg" (a great professional you should interview }:-)) and me.

- You has helped to organise important Spanish cons but, Román, Did you learn to be a hacker on community or by your own?

- I learnt by my own, on one hand by my shy and private nature, and on the other hand because I live far away of the big cities ( where it exist more group movements and meet ups). I always have learned especially from documents I founded on the network and from there all I know I owe it to the Community and the hackers who in an altruist way share their knowledge (papers, exploits, techniques, etc).

That's why, in 1997 I decided to start with mi "irc-war" document (which I was updating for a couple years), and in my most prolific time (2001-2009) I focused on publishing "advisories", exploits and "write-ups" from different challenges/contests. It was my way to give back to the Community what I absorbed from there.

After that came my "time to organize Cons" where I learnt another kind of things and also I tried to offer something different to the Community. On 2009 we founded "RootedCon" (the complete story with all the details is here) project which I left when the first edition (2010) was celebrated (with a great success). On 2013 I joined the ConectaCon organization, celebrating two editions (2013-2014) and finally culminating in the NNC5ed (NavajaNegra-ConectaCon) of the last year (2015), probably the best -non private- cybersecurity congress celebrated in Spain until now.

Now I'm thinking to turn the page and go back to my old hermit-absorb-papers live (solitary), combining it as possible (with a child of less than a year I haven't got too much time) with my participation on CTFs with my inseparable colleagues of "int3pids".

- When your child get older and the humans, a more part of the almighty networks... Will the option of being a hacker still exists?

- As long as restless and curious minds exist, the hackers will exist.

Text: Mercè Molist


Post a Comment