Tuesday, June 14, 2016

That thing with rocking harder and the BlackHoodie story

Last year in September I realized an idea that had manifested in my brains quite some months before. I had wanted to do a workshop with a handful of friends. It should have been a weekend, where I spend time on teaching four ladies the thing I do for a living; reverse engineering malware. Those four had come up to me at different hacker events, telling me yo its cool what you do, how can I learn that? This, in general, is great, but trying to explain the how-to-RE in a few sentences is frustrating, at best. So much for the idea; lets meet somewhere, have a fun weekend, and look at a binary, I said.

And this idea, in the end, turned out to be.. a thing. I had planned to write about the workshop long ago, actually right after; then was super busy, postponed, postponed more, thought now is the time, then realised I might just as well wait a bit more and keep watching what happens. And a lot happened.

It was quite flustering, that these girls had come up to me. I've done a lot in my short career, but I'm still very much a student myself. I'm quite sure, almost certain indeed, this isn't directly linked to my mad skills, but rather for I'm someone they weren't afraid to come up to. This could have many reasons, but what I quite frankly believe is the most important one, I'm female. I'm someone they can relate to. It's taken me a while myself to understand what the hell a role model is. I like to believe thats not someone to aspire to, not an individual to adore, but someone that could be you. A person who isn’t outstanding but just normal. Sounds ridiculous? Oh dear. Like three years after I myself had realized debuggers ain't rocket science I'm still asked at every other occasion how I had this funky idea of becoming malware reverser. That.. is ridiculous. Because there shouldn't be any funkiness to this, I'm not a revolutionary, I just like to stare at assembly. For hours.

I frequently wander around tech offices and industry events where I count no more than a handful of women sneaking around the hallways. I say sneaking because lots of us, myself included, do not radiate confidence and determination, but are rather wary, a bit cautious, quite silent. If you're not like very sure of yourself it feels intimidating to walk into a meeting or a lecture full of people who are just different. This nervosity is not primarily a female problem but I'd guess an issue of any minority. But please don't get me wrong, I've never had a bad time at any conference or meetup, also I'm not talking about general fear. The infosec community I know is very welcoming, I've never experienced hostility. But that is also not the point, it doesn't require hostility to feel out of place. Thing is, most of us don't enjoy to feel exotic.

All of this said, I thought its a splendid idea to do that workshop and invite just any woman interested in reverse engineering. This way, I hoped, the binary-affine ladies out there would understand the event is something they’re supposed to attend and feel welcome to join. What it had taken for me to overcome irrational fears of IDAPro was being told that I'm goddamn supposed to use it; might just go and pass that wisdom on. I crafted a blogpost, put it live and then waited.

Truth be told, my expectation was to sit down with the initial four students, +/-2, and was stunned when the registration e-mails came rushing in. By the time we started with workshop preps there were 17 registered participants, 15 of which, no kidding, for real, showed up in person in St. Pölten downtown early September. I was.. speechless. Sou many femgineers <3 The participants were from Switzerland, France, Spain, Germany, Argentina, Israel, Russia and Austria; coming in by train or airplane, lots of them on their own expenses even. This while, St. Pölten isn't quite in the center of all happenings; you know what I mean.

Now, what is it that we actually did. Basically the participants had to complete four assignments before the actual workshop weekend. These assignments included setting up an analysis environment, a virtual machine running Windows XP, and install a number of tools needed for malware analysis tasks. Also up for homework was quite some reading; papers about x86 assembly language, common malware anti-analysis tricks and runtime packers. They had to perform dynamic malware analysis on a Citadel infector within their virtual machine and look at the traces it left with different tools. Finally, they got some exercise binaries to put in a debugger and watch EIP jumping along the execution path. These exercises all together don't teach you how-to-RE. They are meant to help build a base of understanding for malware and binaries, also they provide hints from where to go on after the workshop.

The two days of workshop themselves were meant to be painful. No, really, a weekend to learn RE is either painful, or quite useless. It is a tough subject, even for seasoned information technologists. Thus the goal was to do something that sticks, like, content thats not painful just doesn't stick. So I picked a piece of malware, one that I had worked on before, and made it our workshop content. The binary is a bit more than 20KB big, packed, and if it were a pet it would listen to the name Upatre. I've had fun with Upatre when I was learning reverse engineering, thus I knew its doable for beginners. For the inclined reader, the workshop’s subject of interest is identical to this one here.

The object of interest
When the weekend was over we were somewhere through with the packer and out of all energy. I left the payload as an exercise and called the event a success, for none of the ladies ran away screaming. Two days, 6 to 8 hours each, staring at assembly is dizzying at best, more likely frustrating. Upatre in 2013 came with few, but neat anti-analysis tricks. The protection ‘layer’ is well separated from the decompression and image reconstruction steps. The payload is simple but effective. It was a lot of content and, frankly, I don't expect anyone walked away humming strike, I got it, strike, I got it.

I remember hearing a "cool what you taught them" afterwards. But in reality, I didn't actually teach much. When I myself was working on my first binary I spent a day on a single jumptable. I don't think one can learn to reverse an entire binary within a weekend. But that was also not the goal, much rather I wanted every attendee to understand that binaries don't bite and debuggers ain't built in Hogwarts. The younger me has spent a lot of time hypnotizing tasks, reading books and papers and staring at tools for long, for an unsubstantial fear things would fall apart if I press the wrong button. So the primary news I meant the participants to take home was how to rock'n'roll by getting their hands dirty, whichever field they are working on.

And holy shit they did! We kept in touch after the workshop and I was watching with much amazement as splendid news kept coming in. Now half a year later one of the ladies has taken on her first reverse engineering position with Quarkslab in Paris. One did her first malware research talk at Botconf last year, presenting on botnet analysis, and is going for the next speaking engagement soon; one spoke at RootedCon this year about iOS malware attacking non-jailbroken devices. Two ladies decided to pick up RE as topic for their thesis, one focusing on analyzing threat actor TTPs, one on analyzing the NDIS stack relying on memory images. Finally, an eager participant collected her first CVEs this year by exploiting BMC Logic's BladeLogic Server Automation product, presenting the findings at Troopers conference. Needless to say, among the participants are seasoned engineers, who excel in cryptography, software development, incident response and security management every day. I can't stress enough how happy I am for all their achievements. Once again, just to be clear, I didn't teach them any of this; all I wanted them to do is rock harder :)

And then, one insomnia night early this year, I made the decision to do that again, there will be another BlackHoodie workshop. It will again be free, most likely be located in Germany, will be painful again, lots of fun and a wonderful community exchange. Besides exhausting the weekend was indeed a lot of fun. I'll surely never forget the face of the waiter at the greek restaurant where we had dinner, when he saw 15 women walking in, as I told him we're a hacking workshop :,D

Wednesday, July 1, 2015

BlackHoodie - Reversing Workshop for Women at UAS St. Pölten

In the past year at every other event a girl came up to me, telling me how cool she thinks that is what I do. I’ve had that conversation with each of them, reversing is fun, there are too few women, stuff is scary and hard to learn and good sources of comprehensible knowledge are hard to find. 

Thus, I thought it’d be a good idea to sit down with them and help them get their head around reverse engineering malware. The idea is, we do a workshop on how to take binaries apart. I've been teaching exactly that at UAS St. Pölten in the past, and be happy to do it once again in a women-only class.

Why women only?

Because a girl-to-girl conversation is so much more fruitful than a full classroom with only one or two women hiding in the corners. I've done so many things in my life where I was the *only* girl among X other participants, and I promise I've been hiding in the corners more than once.            

For the gents it might not be that obvious, but it is not easy for young females who haven't yet found their place in life to walk into a class room, a university lecture, an office or a conference room full of men. Who, generally speaking, very often very well seem to know their place.

I've had girls in my classes before, hiding and holding back although I am so certain they would have been capable to be so much better than what their final results showed. So yeah this will be women only, for every female should feel welcomed and encouraged to do her best and get the most out of it.

Why more women in low-level technical jobs in general?
  • It’s difficult. Mastering something difficult makes you happy. I want all of you to be happy.
  • It pays well. While money makes you also happy, what’s more important, it gives you courage and independence.
  • It keeps you busy. Lots of open job positions globally, even better, believe it or not it is addictive and you might even find yourself a new hobby.
  • Online preparation assignments
  • Workshop 5./6. of September at University of Applied Sciences St. Pölten, Austria
  • No fees, no strings attached, all you have to do is get there
  • Please register with your name or nickname and a short note about your background at blackhoodie at 0x1338 .at
  • Being female
  • Computer science background in a sense you understand programming logic, how a processor works and how an operating system works
  • A Notebook capable of running at least one virtual machine
  • A virtual machine, preferred WinXP 32-bit
  • Guts :) (It is going to be a lot to learn in a very short time)


Please register with your name or nickname and a short note about your background at blackhoodie at 0x1338 .at. About two weeks before the event you will be asked for a final confirmation of your participation.

Announcement from University of Applied Sciences St. Pölten

Sunday, April 5, 2015

Mourning The Last SyScan

An ode to the tiny ones *sniff*

There are a number of happenings that crashed my life since the last blog post like.. oh lets say, like an elephant crashing a porcelain store. The malware clan, calling it clan as it is multiple families, so the clan I've been following since last year’s Hack.lu turned out to be most likely nation-statey, believed to be operated by French intelligence. Who would have thought.

Last week I presented on the most interesting furries out of the 'Animal Farm' or Cartoon Malware as I'd rather call it. This presentation was given at SyScan'15 in Singapore, which, for me personally, is something like the mothership of all cons.

I have done a hell lot of conferences the past two years. Now how that happened is a hell lot of stories, but let me tell you, I had a hell lot of fun. Hell. 

Maybe we agree, more than anything else conferences are about the people you meet there. At a small event you get to meet everyone, at least twice, you have to, even if you try to avoid someone. Not that I ever tried that. Usually the conference is happier to have you than the other way round. I've been to big conferences, not naming any, but all of them left me kind of depressed because.. Welcome, hope you learned something, thanks for your money and take a drink on the way out. Sad. This, while most of the small ones only ever made me sad as they had to end at some point. But always with the note 'See you again next year'.

Not SyScan though, not this year. This year's SyScan was the last one, the organizers giving up concurring with an overload of security conferences flooding Singapore. This is a tragedy, for our industry is losing an event with high quality content and an almost scary density of security professionals gathering there. The magic of SyScan is a mix of having been around forever and being badass technical, not simply attracting but creating a crowd of industry rock stars. 

But being selfish as ever it feels more like a personal tragedy for me. SyScan was the very first security conference I have been to two years ago, and it were the people I met there who were the support and inspiration that kept me going ever after. So this year I happened to meet again with the wizard who sparked my interest in reverse engineering, another wizard who kicked my ass to perform my very first conference submission and with the wizard who pushed me to jump over my shadow to research shit I had never heard of before. 

So.. in case you missed it. Today I occasionally turn nation state malware inside out. The con I submitted to back then was Defcon, and guess what, they accepted; and so did lots of others I submitted to later. And if I am not mistaken I got something lying around here like an 0-.... oops I didn't say that. Imagine, how I felt wandering around the holy halls of Singapore’s Swissotel again? 

Needless to say, being accepted as a speaker for SyScan'15 left me mindblown, unable for a while to actually believe this was happening. The last SyScan was the most exciting, funny, awesome, scary and challenging conference ever. I have never been so scared of screwing up as I have been trying to not miss out on a single minute of conference. And tell you what, it was awesome. Two days of no-bullshit talks, fruitful conversations and valuable insights, meeting folks who me and many others are looking up to. I _so_ hope this is not the end of an era, and I so know I’m not the only one with that wish. 

On the way out I heard a whisper about SyScan’16 and, among us, doesn’t that sound like _so_ good?