Rodrigo Branco

3.9K posts

Rodrigo Branco banner
Rodrigo Branco

Rodrigo Branco

@bsdaemon

Chief Architect, Security Research of BigTech Advisor of Grsecurity. BYOS Commitee Member of OffensiveCon, Langsec, DistrictCon, Secdev

United States Katılım Eylül 2009
4.3K Takip Edilen12.9K Takipçiler
Sabitlenmiş Tweet
Rodrigo Branco
Rodrigo Branco@bsdaemon·
Despedida da H2HC! (My goodbye to H2HC!) (English Version Just After the Portuguese) TLDR: Para aqueles que não conseguem ler uma carta longa, estou saindo da organização da H2HC a partir do ano que vem (este ano ainda estarei à frente do evento, como sempre). Todas as responsabilidades do evento ano que vem estarão com Balestra, um dos meus melhores amigos e alguém que sempre se dedicou e muito para o sucesso do evento. Acredito plenamente que o Balestra está totalmente capacitado a garantir o futuro da H2HC. Peço a todos que o apoiem nessa jornada de levar a H2HC ao futuro! Não posso negar que escrevo esta carta com o coração pesado! Mas ao mesmo tempo, estou decidido de que esta é a decisão certa e a melhor para o futuro da H2HC e da comunidade Brasileira de segurança da informação, pesquisas e hacking. Participo há 21 anos da organização do evento. Interessantemente, eu entrei para a organização durante a primeira edição, quando o evento já estava em andamento (que bagunça que foi! mas também uma das edições mais verdadeiras no sentido real do espírito do hacking). Passei a ser o principal organizador quando na 5a edição o comitê que organizava (umas 8 pessoas) estava, pra variar, dividido em diferentes ideias/opiniões e tudo estava atrasado. Na época eu disse que iria sair e nas discussões que decorreram o grupo decidiu que eu deveria continuar com o evento. O combinado era simples: manter o espírito original! A ideia de que as pessoas devem se encontrar, a ideia de que o hacking é uma contra-cultura, a ideia de que o conhecimento não deve ser controlado. Convidei então meu grande amigo, Filipe Balestra a se juntar a mim, e ambos sabíamos que seria um grande desafio. E mais 16 anos se passaram! E o que mudou? Eu mudei, o mundo mudou, a comunidade mudou, os tempos mudaram, e a H2HC mudou! O evento cresceu muito mais do que esperávamos (e pra ser sincero, apesar de eu constantemente controlar o crescimento). A demanda de tempo para manter as coisas alinhadas com o que eu acredito e vejo pro evento passou a ser gigante (pra terem uma ideia, eu uso algo em torno de 1000 horas por ano). Temos algo em torno de 3000 pessoas por dia, 20+ villages, 18+ palestrantes internacionais (muitos vindo para as villages e não apenas para a grade principal do evento). Temos a revista, que aumentou em muito em termos de qualidade técnica nos últimos anos, graças a ajuda impressionante do Gabriel Barbosa. Temos os badges eletrônicos, que apesar de não conseguirmos distribuir a todos, continuam se tornando referência no mundo pela criatividade (tivemos desde um PCB com o layout do mapa do Brasil, até layout de uma arma com laser, implantes e muitos outros - e este ano tenho certeza de que o que virá vai impressionar a todos) - graças ao apoio do Brian Butterly, outro grande amigo meu que adorou a cultura real do evento e topou o desafio. Temos algumas das melhores palestras da área, literalmente palestrantes que não vão em outros eventos e acabam trazendo um reconhecimento internacional para a H2HC que muitos eventos (bem maiores/tradicionais) apenas desejam ter - graças, em grande parte, ao comitê que avalia as palestras. Temos bebida gratuita (incluindo refrigerantes, mas whiskey e cerveja também - tivemos até a nossa própria vodka e nossa própria cerveja), pois acreditamos na interação entre as pessoas. E quem anda pelo evento acaba descobrindo o que é diversidade de verdade pois temos literalmente todos os tipos de pessoas, com um mantra simples: o que todos temos em comum ali é a busca pelo conhecimento. Somos intolerantes em relação à preguiça e a falta de curiosidade. Doamos ingressos para quem tem interesse, mas não tem condições. Tudo isso com verba zero de marketing. Obviamente todos os anos eu tenho aqueles momentos únicos que justificam todos os esforços. Ano passado, por exemplo, alguém me parou no elevador e disse que mudou para a área de segurança pois entrou em contato comigo há muito tempo atrás e eu doei um ingresso para ele conhecer e ver se realmente se apaixonava. Um dos meus grandes amigos recentemente me perguntou se eu lembrava como eu o conheci… e basicamente foi na H2HC, quando também dei uma oportunidade a ele. Um dos voluntários que trabalham no evento (o evento é todo via voluntários, nós não temos funcionários, não tiramos um único centavo, toda a renda gerada é investida em fazer algo ainda melhor) hoje em seus mid-20s começou no evento quando tinha 14 anos! Literalmente eu tive de assinar um formulário de responsabilidade pelo menor, pois os pais dele queriam ter certeza que iríamos tomar todos os cuidados necessários. Vemos no evento gerentes, diretores e até CISOs de grandes empresas literalmente correndo pra lá e pra cá carregando caixas e ajudando. Temos pessoas agora famosas na área que palestraram pela primeira vez na conferência (e quantas e quantas vezes passei madrugadas com palestrantes ajudando nos PoCs, revisando conteúdos, etc). Quantas vidas foram mudadas e quantas oportunidades foram criadas graças ao evento! (pessoas que se conheceram ali, projetos que surgiram dali, trabalhos e muito mais). São tantas histórias que sinceramente daria um livro (e nem sequer começamos a falar das festas!). Mas então, porque sair? Para mim, liderar sempre foi sobre servir. Minha fé (nunca fiz segredo de que acredito em Deus) também me faz acreditar na importância de doar e compartilhar com os outros (e obviamente ninguém precisa acreditar no que eu acredito para fazer o bem ao mundo). Também sempre me senti bem em retribuir à comunidade por tudo que eu aprendi graças aos esforços de outros que compartilharam o que aprendiam. Eu sempre acreditei na frase: “O que nos trouxe até aqui, não necessariamente nos levará até ali”. Ou seja, temos de nos adaptar constantemente. Por exemplo, um evento de hacking ter redes sociais é um pouco engraçado. Mas ao mesmo tempo, é o mundo moderno e a forma como MUITOS se informam e se comunicam (dói meu coração, no entanto, ver um videozinho sem nenhuma informação verdadeira sendo visto pelo equivalente de 30 dias em termos de horas gastas). Como evitar excluir talentos que ainda não tiveram a exposição à sub-cultura e ao mesmo tempo não sucumbir totalmente ao ‘mainstream’? Esse sempre foi o grande desafio. Algo que eu sempre achei que eu estava extremamente bem posicionado e capaz de fazer. Quantas e quantas vezes não recebemos opiniões de formas de melhorar, e insistimos em não mudar (ou mudar, mas não totalmente). Sempre pensando na evolução necessária para que o evento continue tendo o que prometeu desde o início, mas ao mesmo tempo sobreviva a realidade do mundo moderno. Nossa posição sempre foi: pode até ser que em algum momento não exista mais a necessidade da H2HC. E isso é ok! Pode ser que em algum momento a comunidade já tenha descoberto outras formas de interagir, e a comunidade decida que o evento deve acabar! Para ser claro: não acredito que tal momento tenha chegado! Eu jamais quis ser um ‘organizador’ de eventos. Não sou um investidor, não sou uma pessoa de negócios e não tenho a habilidade política necessária para levar o evento para o próximo nível. A H2HC tem a oportunidade de crescer e se expandir. Isso traz uma série de vantagens, como locais melhores, mais atividades, atingir mais pessoas, etc. Mas para isso, a organização precisará se profissionalizar, o que exigirá ainda mais tempo (potencialmente uma dedicação exclusiva) ou diversas outras opções (prefiro não elaborar pois não quero deixar opiniões, confio plenamente que o Balestra saberá o melhor caminho a seguir). Não acredito que sou apaixonado por essas atividades como sou pelos resultados que elas irão gerar. E portanto não sou a pessoa mais qualificada a conduzir nesse caminho. Continuarei focando em ser um pesquisador que se preocupa com o mundo e com as pessoas. Assistirei, com grande entusiasmo, ao futuro da comunidade no Brasil e no mundo. Abraços, Rodrigo (BSDaemon) ================ ==== ENGLISH ==== ================ My goodbye to H2HC! TLDR: For those that can’t read a long letter, I’m leaving H2HC’s organization starting next year (this year I’m still responsible for the conference, as usual). For next year, all the conference responsibilities are with Filipe Balestra, one of my best friends and someone that has dedicated a lot for the success of the conference over the years. I truly believe that Balestra is totally capable of guaranteeing the future of H2HC. I ask that everyone support him in the journey of bringing H2HC to the future! I cannot deny that I write this letter with a heavy heart. But at the same time, I’m convinced that this is the right decision and the best one for the future of H2HC and for the Brazilian information security, research and hacking communities. I've been involved with H2HC for 21 years now. Interestingly, I joined the organization during the first edition, while the conference was ongoing (what a mess that edition was! but also, it was one of the truest ever to the hacking spirit). I became the main organizer when, during the 5th edition, the organizing committee (about 8 individuals) was, as usual, divided between different ideas/opinions and everything was late. At the time I was done with it, and decided to leave, but during the discussions the group decided that I should continue with the conference alone. The agreement was simple: Keep the original spirit! The idea that people should meet, the idea that hacking is a counter-culture, the idea that knowledge should not be controlled. It was then that I invited my friend, Balestra, to join me, and we both knew that it was going to be a huge challenge. 16 years later, I believe we’ve done well! So, what changed? I’ve changed, the world has changed, the community changed, the times changed and H2HC itself has changed with it. The conference grew way more than we'd expected (and to be honest, besides me constantly trying to prevent it). The time demands to keep everything aligned with my personal beliefs and expectations for the conference became huge (just to give an idea, I use something around 1000 hours per year for the conference). The conference has around 3000 people each day, 20+ villages, 18+ international speakers (with many coming to give talks at the villages, not only on the main conference track). We have a magazine that improved a lot in terms of quality thanks to the amazing help of Gabriel Barbosa. We have electronic badges that, while not given to everyone, are still recognized in the community due to the creativity (we had a PCB with the Brazilian map as the layout, we had the layout of a gun with a laser pointer, we had implants and many more - and I’m pretty sure this year’s one will blown everyone’s mind) - all thanks to the support of Brian Butterly, another friend of mine that loved the true culture of the conference and accepted the challenge. We have some of the best talks of this field, with speakers that literally do not go in any other conference and end up bringing international visibility to H2HC, a visibility that other conferences (sometimes bigger, more traditional) only hope to have - and that is thanks, in a huge part, to the technical selection committee. We have an open bar (including soda, whiskey and beer - we even had our own custom beer and custom vodka), because we believe in the interaction between people. And anyone who walks around the conference can see what true diversity is, because it is indeed for everyone. We have all kinds of people, and a unique mantra: everyone there has a common goal in pursuing knowledge. We are all intolerant to laziness and to the lack of curiosity. We donate tickets to those that are interested, but can’t afford. And we do all that without a single expenditure in marketing. Year after year though we have those unique moments that justify it all. Last year, for example, someone stopped me at the elevator and said that they’ve moved to the security field after having reached out to me sometime before and I’ve donated a ticket to them to see if they would feel passion for it. One of my good friends recently asked me if I remembered how we first met… It was during H2HC, when I’ve also given him an opportunity. One of our volunteers of the conference (the conference is run by volunteers, there are no employees, we do not get a single cent, all the money is reinvested in making something even better), today in their mid-20s started in the conference when he was just 14 years old! I’ve literally had to sign a responsibility agreement since his parents wanted to be sure that we would take all the necessary precautions. During the conference we see managers, directors and even CISOs of large companies literally running around carrying boxes and helping. We have individuals that are now famous in our field that had their first talk at H2HC (and many, many times I’ve spent nights helping speakers with their PoCs, reviewing content and more). Many lives were changed and many opportunities were created thanks to the conference! (people that met there, projects that started there, work opportunities and so much more). There are so many back stories that we could literally fill an entire book (and we are not even talking about the parties!). So then, why leave? For me, to lead is to serve. My faith (it was never a secret that I believe in God) makes me believe in the importance of donating and sharing with others (obviously no one needs to have the similar faith to do good for the world). I’ve also always felt good in paying forward to the community for all that I’ve learned from others that shared what they’ve learned. I’ve always believed in the phrase: “What got us here, won't necessarily get us there”. Which means, we have to constantly adapt. For example, a hacking conference that has social media is a bit funny. But at the same time, it is the modern world and the way that MANY get information and communicate (it hurts my heart, though, to see a video without any actual information, seem by the equivalent of 30 days in terms of hours spent). How do we avoid excluding talent that were never exposed to the sub-culture but at the same time, do not succumb to the mainstream? That was always the big challenge. Something that I always felt extremely well positioned and capable of doing. There were many times in which we’ve received feedback on how to improve, but we insisted on not changing (or change, but subtly). Always thinking on the needed evolution to keep the conference focused on our original promises, while making sure it survives to the modern reality. Our position has always been: maybe at some point in time, there will be no need for H2HC. And that is totally ok! Maybe in some moment the community will have other means to interact, and the community itself will decide that the event should end! But to be clear: I do not believe that time is now. I never wanted to be a conference ‘organizer’. I’m not an investor, I’m not a businessperson, and I do not have the necessary political skills to conduct the conference to the next level. H2HC has the opportunity to grow and to expand. This brings a lot of advantages, such as better venues, better activities, better reach, etc. But for that, the organization has to be more professional, and that demands more time (potentially, a fully dedicated individual) or many other options (I rather not elaborate or share opinions, I just want to emphasize that I trust that Balestra will know the best path). I would not be passionate about the work that has to be done as I’m passionate for the results that I believe the upcoming work could generate. And as so, I’m just not the best person anymore to conduct the journey. I will continue with my focus as a researcher that cares about the world and about people. I will watch, with a lot of enthusiasm, the future of the community in Brazil and in the world. Hugs, Rodrigo (BSDaemon)
Português
34
34
326
29.2K
Rodrigo Branco retweetledi
Math Files
Math Files@Math_files·
Your gym teacher could be a genius. Karl Weierstrass loved math but his father forced him to study law. He dropped out without a degree. He ended up teaching high school. Also biology. Also gym class. While blowing whistles and grading papers, he secretly developed revolutionary ideas about calculus. His breakthrough papers came after age 40. Today he is called the father of modern analysis. He defined continuity. He shaped the math we all learn. He proved it is never too late. College dropout. Gym teacher. Math legend. Your timeline is yours. Keep going. The world catches up eventually.
Math Files tweet media
English
8
79
531
20.5K
Rodrigo Branco retweetledi
Hex-Rays SA
Hex-Rays SA@HexRaysSA·
📢 IDA 9.4 is here! Huge thanks to our beta testers for spending the last several weeks refining this release. • The Apple Dyld Shared Cache workflow has been rebuilt from the ground up. • The decompiler now speaks Swift, with proper ABI modelling for self, async context, and error paths. • Two new processor modules land — Qualcomm Hexagon and MCore. • Navigation gets a major upgrade with Pathfinder and a redesigned Jump Anywhere. • The Teams add-on now runs on Git. • And idalib, previously Pro-only, now ships with IDA Home. 👉 Read the blog for the full breakdown and/or jump ahead to the release notes, then grab your update in the Download Center. hex-rays.com/blog/ida-9.4-r…
GIF
English
3
24
88
8.7K
Rodrigo Branco retweetledi
Phrack Zine
Phrack Zine@phrack·
📟 CALL FOR COVERS — PHRACK #73 Want your art featured on thousands of copies of Phrack? Show us what you’ve got. ▸ retro sci-fi & chrome futures ▸ cyberpunk / terminal aesthetics ▸ dystopian systems ▸ hacker manuals from an alternate timeline ▸ weird cool stuff 📮 arts@phrack.org ⏰ Deadline: August 15 Make it strange. Make it beautiful!!
Phrack Zine tweet media
English
1
41
70
18.8K
Rodrigo Branco retweetledi
Alex Finn
Alex Finn@AlexFinn·
Something strange has happened over the last 10 years When I was a kid, every tech publication (Wired, TechCrunch, Engadget) truly loved and celebrated technology Over the last 10 years they all collectively decided they absolutely LOATHE technology. Every article is a hit piece. Every entrepreneur and creative thinker is being destroyed. The greatest inventors of our lives are being villainized. A lot of people are saying it’s because we live in a clickbait culture and hate is what drive clicks, but I don’t buy it If hate drove clicks all of these publications would be thriving. Instead, they’re all failing, going bankrupt, laying people off and on top of that I literally can’t name a single person who reads any of them There is a such a massive opportunity right now for anyone who’s willing to start a tech publication that actually celebrates and loves technology. I’m DYING for a version of Wired that actually covers real tech with an optimistic lens, and I know many other are too. Might have to f around and do this myself.
dar@radbackwards

I gave WIRED the exclusive on our hands launch, and they wrote a really weird article about how we are sexualizing robotics… wired.com/story/the-1x-n… I felt pretty betrayed because that’s not what they told me they were writing about not is that what I’ve ever been about… actually I stand for quite the opposite… But I’ve come to find a lot of dishonesty and malice in the journalism community so I wasn’t surprised. This is what I sent the author… I’m only sharing this because I hope it encourages journalists to resist the click bait trap and tell truly awesome stories because I for one don’t believe journalism is dead— I think it’s just starting and just needs to evolve past the weird corner of the internet where data driven optimization turns everything into smooth brained shocking brain rot bullshit. The technological revolution we are going through should inspire a journalism renaissance. Not let it fall into further decay. There is so much brilliance at play in the world and the stories should be told! My note: “[author name redacted], it was nice talking to you, but I wanted to let you know that I didn’t enjoy your article at all. I understand the need to be inflammatory because that seems to be the only thing that gets clicks these days but that doesnt mean you shouldn’t recognize when something special is in front of you. I trusted our PR team in saying we should offer you the exclusive on what is one of the most important technological developments in the history of Mankind and I deeply regret it. Good luck with the rest of your writing career. -Dar Sleeper”

English
311
125
2.2K
691K
Rodrigo Branco retweetledi
Brad Spengler
Brad Spengler@spendergrsec·
Isn't this common knowledge? lists.openwall.net/linux-hardenin… In 2020 even we had decoupled BPF JIT support from module support (so you could have !MODULES && BPF_JIT) and forced on constant blinding whenever RAP was enabled to cover CAP_SYS_ADMIN-provided programs (unpriv disallowed).
English
3
1
12
2.5K
Rodrigo Branco retweetledi
David Crawshaw
David Crawshaw@davidcrawshaw·
@d0m96 Freedom of association, quite possibly our most important freedom, means you are free to go out there, find people as weird as you, and build a community completely inaccessible to wider society.
English
1
2
38
1.2K
Rodrigo Branco retweetledi
Ellen Carmichael
Ellen Carmichael@ellencarmichael·
The most interesting part of the red card saga isn't the ruling. It's how differently Americans and Europeans process the idea that they might have been wronged. Europeans are fundamentally different from Americans in one particular way: they expect life to be aggravating and at times unfair. It's just a fact of moving through the world. I joke that in Europe, the customer is always wrong. You didn't read the fine print. The only pharmacy in town is closed every other Tuesday for three hours, and even if the times weren't posted, that's still your problem. Too bad if you want the bill, because the waiter's on his union-mandated half-hour smoke break, and you're just going to have to wait. To quote the great Mark Knopfler: sometimes you're the windshield, sometimes you're the bug. There's something freeing in that. Things are less in your control, so there's less angst in managing your expectations. In America, things couldn't be more different. We simply can't accept a wrong left unrighted. The flight attendant sneezed handing you a drink on your one-hour flight? 15,000 frequent flyer miles. Didn't like your appetizer? A replacement is on the way, and the whole course comes off the bill. There's a reason our interstates are lined with trial lawyer billboards. Europeans have turned complaining into a continental pastime with no expectation that the universe owes them a remedy for their grief. You gripe about the train being late, your friends nod solemnly and everyone goes back to their apéro. In America, we launch a full-blown investigation of the train system, sue the government (and its contractors) that allowed for the tardiness and hold a Congressional hearing on the state of national infrastructure. So to an objective observer, the red card shouldn't have happened, and VAR was a travesty. To Americans, our star player shouldn't be unfairly banned from a match we couldn't afford to lose for a card he so obviously didn't deserve. Who cares that FIFA used a little-used reversal to fix it. Who cares that other people are mad about it. We. Were. Wronged. It was unjust. It must be corrected. We would accept nothing less. Europeans waxing poetic about the sanctity of the game are, of course, talking about a governing body whose last tournament host was decided via confirmed cash bribes — one that imposed dress codes on women, shrugged off widespread allegations of modern slavery and reconfigured the entire tournament calendar to suit the host country. Which is exactly the point. If you've made peace with all of that, at least enough to watch the tournament four years later, a probationary suspension isn't actually a scandal. Maybe that's the real divide. Over millennia, Europeans have made peace with being the bug. Americans have never once considered it, and apparently, we're not about to start now.
Ellen Carmichael tweet media
English
8.1K
2.8K
21.6K
6.9M
Rodrigo Branco retweetledi
Brad Spengler
Brad Spengler@spendergrsec·
"AI-assisted static analysis confirmed by Intel Product Security" sounds cool: git.kernel.org/pub/scm/linux/… But even cooler is automatically not having the vulnerability for the past 8 years, courtesy of RESPECTRE:
Brad Spengler tweet media
English
1
2
25
2.2K
Rodrigo Branco retweetledi
Hex-Rays SA
Hex-Rays SA@HexRaysSA·
The IDA Domain API just got a big update. 👀 This version adds microcode, pseudocode, imports, and flowchart modules — covering most of the everyday scripting surface in IDA. Less boilerplate, same power. Open source and welcoming contributions. Read the blog for before/after examples. 👉 hex-rays.com/blog/whats-new…
Hex-Rays SA tweet media
English
3
12
58
4.5K
Rodrigo Branco retweetledi
Yarden Shafir
Yarden Shafir@yarden_shafir·
In case you wondered, writing an article for @phrack is going great (I have 3 pages of disorganized notes, 7 IDA windows open, this diagram and 3 days to finish)
Yarden Shafir tweet media
English
9
28
303
35.5K
Yarden Shafir
Yarden Shafir@yarden_shafir·
@bsdaemon I’ll do my best! I like to pretend to myself that if I remembered the deadline I would’ve started earlier but that’s a lie so I’ll do it under pressure telling myself next time I’ll start early. As usual.
English
1
0
5
895
Rodrigo Branco retweetledi
Brad Spengler
Brad Spengler@spendergrsec·
So for 2 years all non-grsec 6.6 LTS users on Zen3 were tanking performance by running with Retbleed mitigations unnecessarily. Good call covering that up.
English
1
2
13
3K
Rodrigo Branco retweetledi
Mitchell Hashimoto
Mitchell Hashimoto@mitchellh·
Creator of Sqlite on pull requests: "You say, oh, it's free. No. It's not free. What you're doing is asking me ... to maintain it for you, to to document it for you, to test it for you, to maintain it for you for the next 25 years. That's not free." Yep. Wise words from a wiser man than me. I've told people for the past decade and I have recent posts on here saying the same: the merge button is the easy part. Its the decade+ (Richard says 25 years) that follows where you've accepted the transfer of maintenance thats hard.
English
60
396
6K
284.6K
Rodrigo Branco retweetledi
Brad Spengler
Brad Spengler@spendergrsec·
We found/fixed this one and a couple other cases October 2018: git.kernel.org/pub/scm/linux/… Line from the changelog: - turned a few misguided attempts at bound checking into real ones, detected by the Spectre plugin
English
2
2
6
1.6K
Rodrigo Branco retweetledi
Hex-Rays SA
Hex-Rays SA@HexRaysSA·
It's not too late to sign-up... We're hosting a free virtual workshop/webinar on idalib — IDA as a library. Call IDA's analysis engine directly from your own code, automate workflows without launching the GUI, and integrate IDA into any toolchain you're already running. 👉 2dgu4h.share-eu1.hsforms.com/2D4ZYPjdCRFODE…
Hex-Rays SA tweet media
English
1
20
94
6.3K