Know your community – Simone Margaritelli (@evilsocket)

The guy that published a first hand account of how an allegedly government-sponsored firm, Dark Matter, tried to hire him to help them spy on civilian in the UAE.
A former BlackHat that switch sides
Bug Bounty hunter
The author of the most known offensive open source software – BetterCAP, dSploit, AndroSwat and more!
Please meet Simone Margaritelli AKA @evilsocket


Questions
Q: How many years have you been working in the security field?
A: Basically since I was 13-14 years old, which makes it ~15 years.
Q: What was your motivation for getting into the security field in the first place?
A: Curiosity, it’s always about curiosity.
Q: What was the first vulnerability you found?
A: Probably something in some switch system of the telco I’ve been using at that time, I had lots of fun during that period of my life 🙂
Q: How did you feel when you found the vulnerability?
A: I was a kid feeling like a God, which is pretty much the same kind of feeling I still have today when I manage to hack something.
Q: What is your field of expertise in vulnerability research?
A: I’ve no specific field of expertise, I’ve been working on Windows, macOS and Linux systems since forever, but I enjoy more writing security related tools rather than exploit vulnerabilities, I do that only if I really need to.
Q: Is there some security research field that you always wanted to learn but never had a chance?
A: Cryptography, lacking a formal education, I never studied it properly, but I’d love to.
Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: Relaxing at the beach while writing software and pentesting stuff, which is quite close to my current job.
I looked at your GitHub account and saw that from 2016 you updated and up loaded the following projects:

  • Yet Another Telephony Engine (YATE) – fully featured software PBX (Private Branch Exchange, which is a private telephone network used within a company. Users of the PBX phone system share a number of outside lines for making external phone calls.)
  • Yet Another Telephony Engine Base transceiver station (YateBTS) – open source GSM Base Station software
  • AndroSwat – A tool to inspect, dump, modify, search and inject libraries into Android processes
  • ARM Inject – An application to dynamically inject a shared object into a running process on ARM architectures and hook API calls
  • Smarter Coffee terminal client – experimental terminal client for the Smarter Coffee machine
  • Smali Emulator – emulate a smali source file generated by apktool, it is intended to be used as a quick and dirty way to defeat various types of encryption and obfuscation while reversing an APK.
  • SafeInCloud Linux Libraries – contains a class to decrypt SafeInCloud database files
  • Keras – Deep Learning library for TensorFlow and Theano – Keras is a high-level neural networks library, written in Python and capable of running on top of either TensorFlow or Theano. It was developed with a focus on enabling fast experimentation. Being able to go from idea to result with the least possible delay is key to doing good research.
  • OpenBank – OpenBank is a Laravel based web application that you can use to keep track of your BitCoin public keys, your total balance and so forth. All the data is collected in realtime and will be shown to you on its web interface.
  • FIDO – minimalistic, IDE agnostic, C/C++ project generator supporting various toolchains and build systems.
  • bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
  • OpenSnitch – OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Q: How often you find yourself looking for some kind of script / software – didn’t find what you were looking for and developed it by yourself?
A: Quite often, that where most of my OSS comes from 🙂
Q: Why did you decide to modify the Yate project to work with BladeRF ? Was it a complicated modification?
A: I was studying ways of building rogue GSM BTS with cheap hardware and free software, so I had to hack some other OSS together in order to make it work in my setup/scenario. The BladeRF is a SDR device, which means it supports *any* protocol in its frequency range so he was the perfect tool.
It wasn’t complicated to modify Yate, the complicated part was studying the ~500 pages GSM documentation 😀
Q: What kind of information could you extract from the victim? Were you able to use it as MITM platform?
A: I’d prefer not to answer.
Q: Are modern mobile phones protected from these kind of attacks?
A: There’s a lot you can do with cheap SDR hardware and open GMS or LTE software, the protocols are very complicated and not really security centered … so, no.
Q: How much experience do you have with telecommunication architecture (BTS / Multiplexer etc) / protocols (GSM / CDMA / etc)?
A: I studied the whole protocol documentation so I guess I do have some experience and knowledge of how it works, but I’m definitely not an expert.
Q: Smarter Coffee terminal client project – Do you own one?
A: Yes.
Q: Why did you decided to develop a terminal to the machine?
A: Ehm … because I wanted to make coffee from the command line XD
Q: Have you been inspired by this http://www.businessinsider.com/programmer-automates-his-job-2015-11 story?
A: Not really, but every good hacker tries to automate its stuff, that’s in our DNA i guess 😀
Q: How do you take your coffee? espresso? cappuccino?
A: Short espresso for breakfast and long black coffee during the day, not a cappuccino fan.
Q: Why did you decided to developed BetterCAP?
A: Because ettercap is crap, the filters never really worked (yes, they do on a packet level, not on a stream level) and I was tired of using dozens of different tools to achieve something I could easily do with a single, well implemented, one.
Q: How many people use BetterCAP?
A: I have no idea, but I guess a lot considering that just the downloads from RubyGems are around 100K.
Q: What is your vision for BetterCAP? Are you going to extend the abilities of BetterCAP to support Wifi (Karma-attack) / bluetooth etc?
A: I’m thinking about a new implementation, from scratch, in a faster language … we’ll see 🙂
Regarding the abilities extend, I wont extend the abilities to support Wifi / Bluetooth – that’s out of the scope of the software
In 2012 you launched dSploit v1.0.31b – An Android network penetration suite.
In 2014 you announced that you started to work in Zimperium and dSploit Merges With ZImperium zANTI2.
You also announced that “we decided to join our efforts to create a better, faster and free product”. A few month later Zimperium has released the zANTI2.0 for free.
Today, the zANTI is not free.
Q: Is zANTI based on dSploit?
A: Yes, parts of it. every once in a while I’m still working on the platform.
Q: Why did you decided to develop application firewall (OpenSnitch)?
A: Because I wanted to have a free one on Linux, I always loved LittleSnitch on macOS, so I started to port it.
Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story of someone who contacted you?
A: I get such type of emails on a weekly basis, but I don’t pay much attention to them, so I can’t say which one was the funniest, I just don’t even read them 😀
Q: Are you still looking for vulnerabilities on your free time?
A: Always.
Q: What type of products do you like most looking into vulnerabilities in?
A: Recently, mobile products, but usually, the higher the impact, the better.
Q: What was the silliest (funny) reward you got for reporting vulnerability to a vendor?
A: A free year of premium subscription to the same crappy service I’ve pentested.
Q: Do you think the rewards security researchers get from report vulnerabilities are fair?
A: In most cases they are, but researchers should not be motivated by rewards IMHO, but by the idea of building a safer world.
Q: Could you do this full time (make a living from it)?
A: No, I do like it, but I couldn’t handle the pressure of doing it 24/7
Q: What industries or business sectors would you like to see more involved in the bug bounty business?
A: Governments, most of the times if you find some vulnerability in some important national infrastructure, it’s really hard to report it without consequences.
Q: What are the best companies to work with when hunting for vulnerabilities?
A: Google I guess being them quite responsive and open minded.
You have published a blog How the United Arab Emirates Intelligence Tried to Hire Me to Spy on Its People and interviewed about it back in 2016.
Q: In your opinion, is there a difference between “physical” weapons, like guns / war ships / missiles, and “cyber” weapons (Hacking Team / FinFisher etc)?
A: Not at all, both should be considered as weapons.
Q: The security community is quite small and you know a lot of the researchers, Do you know researchers that decided not to work at Dark Matter after you publish your blog?
A: Yes, quite a few of them actually 🙂
Q: Do you know of researchers that went to work at Dark Matter?
A: Yes.
Q: Did Dark Matter threatened to sue you after you published your blog?
A: No, never heard from them after I published to blog post.
You testify about yourself on your website (the Whoami tab) that “I’m a former blackhat hacker now working as a whitehat in the security industry trying to make the world a safer place”
Q: Could you share with us what kind of “blackhat” activities have you been involved with?
A: No 🙂
Q: Can you tell me how to avoid falling to the “dark side”?
A: My main principle is simple, just make sure you leave a better world than the one you found when you were born … and this can’t happen if you follow “the dark side” of things.
Q: How easy it is to fool people and steal their money?
A: Very.
Q: Why did you decided to change sides and to work with the good guys?
A: On one hand, I started to see how my actions negatively affected life at that time (trouble with police, etc), on the other hand I wanted to be something better than just a kid hacking into stuff for no reason whatsoever rather than his curiosity.
Q: Are there talented security researchers in the “dark side?” or most of them are teenagers that try to make money?
A: Absolutely, there’re a lot of exceptional researchers in the Blackhat community.
Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences both as a speaker and as an attendee. What is you favorite security conference?
A: Actually, I’ve never been a speaker, I mostly like to listen and learn from other people, my favorite conf./events so far are the Chaos Communication Camp in Germany and the End Summer Camp in Italy.
Q: What kind lectures you like to attend? listen to?
A: Everything that makes me learn something new.
Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: Connecting with people. If you think about it, you can learn about someone’s research on the internet, while the human-to-human connection is something you only find in conferences.
Q: What is the most exotic place you attended a security conference at?
A: It was a DEFCON group meeting in Shenzhen, China.
Q: In which country have you been surprised by the size / quality of the security community?
A: To be honest, Italy. A few years ago I thought we, as a country, had nothing much to offer to the ITSec community. Fortunately I come to realize I was wrong, some of the best researchers and tools developers are Italian. For instance, most of the best MITM attack software has been written by Italian people 😀
Q: In your opinion, how did the international security community change in the past 5 years?
A: A very big amount of money has been put in this business recently, the “corporate world” we’re not part of makes the whole community more “professional”, but definitely less genuine in my opinion.
Q: How has the Italian security community changed in the past 5 years?
A: We’re much more interested in privacy now, most of our groups are somehow involved in privacy related tools and/or sensibilization campaigns of some sort.
Q: What’s the single most important piece of advice you would want to give for someone seeking out a career in the security filed?
A: Be curious about everything and never stop learning.
Q: What are your hobbies?
A: I *love* movies ( I watch 1-2 movies per day ), books, photography and traveling.
It was a pleasure, Simone, to talk to you
You’re welcome.