Friday, July 29, 2016

BlackHoodie #2 – We roll again :)

Last year I held a free reverse engineering workshop for women, mainly in the not entirely un-selfish interest to see more of them around in the whole security field. More about the motivations, the why's and obstacles and how it turned out you can read up here, here and here. Looking back, I'm super happy with this little project and, leaning out the window a bit further, call it a big success.

That said, I gleefully announce BlackHoodie #2, the next women-only reversing workshop, to take place in Bochum, Germany the weekend of 19th + 20th of November 2016. This edition will be held in cooperation with Katja Hahn, a splendid binary analyst herself, and Priya Chalakkal, an up-and-coming hacker of all things; and comply to the same principles as last year. It will be free of charge, no strings attached, and aim to help femgineers entering a field thats not easily accessible.

Moreover, in a wonderful initiative community members announced their support of this year's edition by covering the travel expenses of a BlackHoodie attendee. The US startup Iperlane and Thomas Dullien aka. Halvar Flake will cover the trip for a lady, who decides to come join the workshop. The lucky attendee will be randomly selected from the group of registered participants.

May there be oh so many participants :) :) So here we go again..

Why women only?

Because a girl-to-girl conversation is so much more fruitful than a full classroom with only one or two women hiding in the corners. I've done so many things in my life where I was the *only* girl among X other participants, and I promise I've been hiding in the corners more than once.

For the gents it might not be that obvious, but it is not easy for young females who haven't yet found their place in life to walk into a class room, a university lecture, an office or a conference room full of men. Who, generally speaking, very often very well seem to know their place.

I've had girls in my classes before, hiding and holding back although I am so certain they would have been capable to be so much better than what their final results showed. So yeah this will be women only, for every female should feel welcomed and encouraged to do her best and get the most out of it.

Why more women in low-level technical jobs in general?
  • It’s difficult. Mastering something difficult makes you happy. I want all of you to be happy.
  • It pays well. While money makes you also happy, what’s more important, it gives you courage and independence.
  • It keeps you busy. Lots of open job positions globally, even better, believe it or not it is addictive and you might even find yourself a new hobby.

  • Its gonna be Katja, and Priya, and me, and a binary, and you, and plenty of debuggers
  • Online preparation assignments, 4 of them, over the course of two months prior to the workshop
  • Workshop 19./20. of November at G DATA Academy, Bochum Germany
  • No fees, no strings attached, all you have to do is get there
  • Please register with your name or nickname and a short note about your background at blackhoodie at 0x1338 .at

  • Being female
  • Computer science background in a sense you understand programming logic, how a processor works and how an operating system works
  • A Notebook capable of running at least one virtual machine
  • A virtual machine, preferred WinXP 32-bit
  • Guts :) (It is going to be a lot to learn in a very short time)


Please register with your name or nickname and a short note about your background at blackhoodie at 0x1338 .at. About two weeks before the event you will be asked for a final confirmation of your participation.

Tuesday, June 14, 2016

That thing with rocking harder and the BlackHoodie story

Last year in September I realized an idea that had manifested in my brains quite some months before. I had wanted to do a workshop with a handful of friends. It should have been a weekend, where I spend time on teaching four ladies the thing I do for a living; reverse engineering malware. Those four had come up to me at different hacker events, telling me yo its cool what you do, how can I learn that? This, in general, is great, but trying to explain the how-to-RE in a few sentences is frustrating, at best. So much for the idea; lets meet somewhere, have a fun weekend, and look at a binary, I said.

And this idea, in the end, turned out to be.. a thing. I had planned to write about the workshop long ago, actually right after; then was super busy, postponed, postponed more, thought now is the time, then realised I might just as well wait a bit more and keep watching what happens. And a lot happened.

It was quite flustering, that these girls had come up to me. I've done a lot in my short career, but I'm still very much a student myself. I'm quite sure, almost certain indeed, this isn't directly linked to my mad skills, but rather for I'm someone they weren't afraid to come up to. This could have many reasons, but what I quite frankly believe is the most important one, I'm female. I'm someone they can relate to. It's taken me a while myself to understand what the hell a role model is. I like to believe thats not someone to aspire to, not an individual to adore, but someone that could be you. A person who isn’t outstanding but just normal. Sounds ridiculous? Oh dear. Like three years after I myself had realized debuggers ain't rocket science I'm still asked at every other occasion how I had this funky idea of becoming malware reverser. That.. is ridiculous. Because there shouldn't be any funkiness to this, I'm not a revolutionary, I just like to stare at assembly. For hours.

I frequently wander around tech offices and industry events where I count no more than a handful of women sneaking around the hallways. I say sneaking because lots of us, myself included, do not radiate confidence and determination, but are rather wary, a bit cautious, quite silent. If you're not like very sure of yourself it feels intimidating to walk into a meeting or a lecture full of people who are just different. This nervosity is not primarily a female problem but I'd guess an issue of any minority. But please don't get me wrong, I've never had a bad time at any conference or meetup, also I'm not talking about general fear. The infosec community I know is very welcoming, I've never experienced hostility. But that is also not the point, it doesn't require hostility to feel out of place. Thing is, most of us don't enjoy to feel exotic.

All of this said, I thought its a splendid idea to do that workshop and invite just any woman interested in reverse engineering. This way, I hoped, the binary-affine ladies out there would understand the event is something they’re supposed to attend and feel welcome to join. What it had taken for me to overcome irrational fears of IDAPro was being told that I'm goddamn supposed to use it; might just go and pass that wisdom on. I crafted a blogpost, put it live and then waited.

Truth be told, my expectation was to sit down with the initial four students, +/-2, and was stunned when the registration e-mails came rushing in. By the time we started with workshop preps there were 17 registered participants, 15 of which, no kidding, for real, showed up in person in St. Pölten downtown early September. I was.. speechless. Sou many femgineers <3 The participants were from Switzerland, France, Spain, Germany, Argentina, Israel, Russia and Austria; coming in by train or airplane, lots of them on their own expenses even. This while, St. Pölten isn't quite in the center of all happenings; you know what I mean.

Now, what is it that we actually did. Basically the participants had to complete four assignments before the actual workshop weekend. These assignments included setting up an analysis environment, a virtual machine running Windows XP, and install a number of tools needed for malware analysis tasks. Also up for homework was quite some reading; papers about x86 assembly language, common malware anti-analysis tricks and runtime packers. They had to perform dynamic malware analysis on a Citadel infector within their virtual machine and look at the traces it left with different tools. Finally, they got some exercise binaries to put in a debugger and watch EIP jumping along the execution path. These exercises all together don't teach you how-to-RE. They are meant to help build a base of understanding for malware and binaries, also they provide hints from where to go on after the workshop.

The two days of workshop themselves were meant to be painful. No, really, a weekend to learn RE is either painful, or quite useless. It is a tough subject, even for seasoned information technologists. Thus the goal was to do something that sticks, like, content thats not painful just doesn't stick. So I picked a piece of malware, one that I had worked on before, and made it our workshop content. The binary is a bit more than 20KB big, packed, and if it were a pet it would listen to the name Upatre. I've had fun with Upatre when I was learning reverse engineering, thus I knew its doable for beginners. For the inclined reader, the workshop’s subject of interest is identical to this one here.

The object of interest
When the weekend was over we were somewhere through with the packer and out of all energy. I left the payload as an exercise and called the event a success, for none of the ladies ran away screaming. Two days, 6 to 8 hours each, staring at assembly is dizzying at best, more likely frustrating. Upatre in 2013 came with few, but neat anti-analysis tricks. The protection ‘layer’ is well separated from the decompression and image reconstruction steps. The payload is simple but effective. It was a lot of content and, frankly, I don't expect anyone walked away humming strike, I got it, strike, I got it.

I remember hearing a "cool what you taught them" afterwards. But in reality, I didn't actually teach much. When I myself was working on my first binary I spent a day on a single jumptable. I don't think one can learn to reverse an entire binary within a weekend. But that was also not the goal, much rather I wanted every attendee to understand that binaries don't bite and debuggers ain't built in Hogwarts. The younger me has spent a lot of time hypnotizing tasks, reading books and papers and staring at tools for long, for an unsubstantial fear things would fall apart if I press the wrong button. So the primary news I meant the participants to take home was how to rock'n'roll by getting their hands dirty, whichever field they are working on.

And holy shit they did! We kept in touch after the workshop and I was watching with much amazement as splendid news kept coming in. Now half a year later one of the ladies has taken on her first reverse engineering position with Quarkslab in Paris. One did her first malware research talk at Botconf last year, presenting on botnet analysis, and is going for the next speaking engagement soon; one spoke at RootedCon this year about iOS malware attacking non-jailbroken devices. Two ladies decided to pick up RE as topic for their thesis, one focusing on analyzing threat actor TTPs, one on analyzing the NDIS stack relying on memory images. Finally, an eager participant collected her first CVEs this year by exploiting BMC Logic's BladeLogic Server Automation product, presenting the findings at Troopers conference. Needless to say, among the participants are seasoned engineers, who excel in cryptography, software development, incident response and security management every day. I can't stress enough how happy I am for all their achievements. Once again, just to be clear, I didn't teach them any of this; all I wanted them to do is rock harder :)

And then, one insomnia night early this year, I made the decision to do that again, there will be another BlackHoodie workshop. It will again be free, most likely be located in Germany, will be painful again, lots of fun and a wonderful community exchange. Besides exhausting the weekend was indeed a lot of fun. I'll surely never forget the face of the waiter at the greek restaurant where we had dinner, when he saw 15 women walking in, as I told him we're a hacking workshop :,D