Interview with Pedro Vilaça

so now we have filled vilasa and determines again with us pilgrim the first question I want to ask you is actually about your new project so you're trying to inspire Portuguese people to come forward and do more conference presentations why is that and you know what do you expect them to do I expect them to do something so I expect them to finally get smart and start doing something because we are a very nice country with a lot of potential we have good ecers we have people that I know that they good work the only thing that they don't know is come forward it's the what we call the Portuguese fado oh I cannot do it oh I'm not doing

the zero days and that is irrelevant or I cannot present into a big conference it's not a difficult play people just need to do some work and that's the reason for that project it has been on my mind for like a few months is but you know they will give the quake and the opportunity with Federico and just came up and okay yeah and then I noticed on my brain oh I'm going to present at a Portuguese conference full of Portuguese guys so we can I can try to lunch and the cost for me is not that big it's just a website to blog it's just a matter of putting tests online so I need

people to come forward and it's good for them I made a whole career what worldwide with a simple blog that's it and the event started with a with the procedure with a it was a joke it wasn't planned it was okay I will Joe I have the domain I will just put that put that that in the the content there and now it's okay which just came where there is no point first changing the domain because of people stuff because it's fun it's some sort of trolling so that's the main reason for for that I believe in that we have potential I want to I will try to do some work at political level and because I on Wednesday there were I

went to sell people talking about politics cyber security and so on but they are not talking to the to the hackers to the people that let's understand the field that do technical stuff they don't want to hear about stack overflows and all that stuff but they need to understand that we have talent that any programs that our universities are not training anyone they don't know anything I think two presentations last year about firmware and it was like no one in the audience and you knew about that and I did on purpose because I wanted to understand what is the devil but we have this we have this potential and I still p-wave on that stuff so I

just need people to start writing it's sometimes it's very simple if they go see my initial posts there are simple poles and then you start gaining scale we start improving you start learning how to write better and so on this is my offer that's why I say I'm an editor and I can grab a few guys to to assist because we already know how it works we can help them we can fix their text we can explain things better or help them to explain and it's fun it's like contribution to the community I always say make fun with community on the US but hey yeah it's it's something that I believe it can work if people really

want that's it don't you think this is a common thing because I'm when you look at the hacker and the security community everyone feels more comfortable behind the computer behind an avatar beacon behind a nickname when you go to this kind of conferences it's quite hard for them to mingle okay so they don't eat okay okay there's also something very particular about myself I'm from economics so I see many things in different in different point of view of course they can they can keep on their stuff they don't need to really be social that's the power of the Internet that's the power of a blog you create a persona I created my persona and you

create a persona and you write content and work will come to you it's how it works they don't need if they don't like to socialize they don't need to socialize they need to they can talk to people online there's and there's a lot of work word what matters is they give you some input you are the black box and they want output and that's it so people don't they need to change their behavior in terms of put information out if they don't like to speak in public hey okay it's hey they need to I didn't like to speak in public so and the tire I forced myself I did an MBA for that reason because I knew I okay there were more

reasons but one of those was that I know that I will be forced to speak in front of an audience so I will do it and I'd like some that it's difficult but it's not rational when the most thing that people fear in the world for many many many questionnaires that have been made it's number one is speaking public number two and this so if you are dead it's relevant if you became weak or not at all so don't you think that the the so besides is it's a and it's it's well this one is it's in Portugal to improve the Portuguese community but you also had yesterday the Lightning talks and do you think that the Lightning talks could

be that kind of middle step for people to be just before word Express yeah it was their own totally and we have in Porto and I'm trying to help them I will help people if some time with what is needed it's time my my presence I will gladly help people you can say I'm a rock star yeah maybe I'm famous on my on my place but I will I'm okay without being people and you know Porto we have a monthly meeting where people are start starting to to speak it's not the best talks than most of them are still not good but then it's sorry and and we the others are the most senior guys I'm fine and I can help them I can

go tell them don't do that our presentations for example those guys that were presenting the the exfiltration data yesterday have the slides in black and I told them don't do that because it doesn't work I did that once I did I so many presentations worldwide with that stuff it doesn't work most of the times the projectors don't work and the cold the contrast is bad and so on but these are the small things that that that you learn or by speaking and by and by testing so you can help people it's just tell them so you at least when you have the contrary sometimes they have problems with speakers because people are not are not coming

for it they should come forward it's it's yeah it's usually people need to think about and this is the reason why I put some stuff on the slides value if they are giving value to someone it's great if someone is learning something or someone is solving a problem with your with your input it's great and this is the spirit and for example I talk to people these days and they talk all you have Portuguese salaries if I told them the salaries that you can get remote working in Portugal there's no idea of the market and its own really yes of course you can of course you have to be good but you have to build your brand

yes I feel here and everything about the project that project is about creating something to take you the brand to a bunch of people that really want to do it it's open now it's there it's there it's there we roll to step forward if they don't want it's not my problem I have my brand that's it if they want to send me I will help them if they don't want it's for me it's just it's just a bunch of slides it's not going to destroy my reputation anything I just say well you still have your own reputation you just you just walk Rockstar right yeah so I'm sorry to see that what's what's with the federal

attraction with with Apple it's not age I never had an apple I never ever Mac I bought a Mac by a very lucky via by a very certain Beauty event there was a friend that a Mac wanted to sell it was cheap and ok I want to buy it then the guys sold to someone else and I got ok now I want to make and I want to Mac I was working on seems when that happened so I bought two Mac the first thing I did was starting to reverse stuff I like to crack stuff prefer stuff so I started doing and there was no nothing not they were like one or two plugs on with very

few posts on these stuff so I created manage ok I'm going to create a blog and start writing about this stuff I need so how about timing I was lucky completely and it was a moment of complete luck because I was playing with a Mac I could read it that I created the Aneesh and after a while there was demand projects working and so on so I stayed on that niche it's and it's still happy I'm so happy by doing that I can reverse anything for me it's just cold so I but let me she's service with me well so uh at least for now I don't need to I know you were just just trying to

reverse my microphone yeah just to break it there's something you research that's that's the spirit it's and that's what I King is all about making questions why why why not what if let's and Portuguese are good on that it's a what made you question the NSA tools because your talk was around that it wasn't recorded didn't can't really talk much about it but the shell workers got them leaked I reverse stuff I wanted to see what are these guys doing in terms of engineers what you can't really find out much about your findings in terms of your talk but in terms of the engineering work cuz like I've seen some of the backdoors and all that and I have called

them often beautifully engineered the other people don't get what I mean by that I think you do get it right they are they are it's not proof of concept code it's code that is well written that people were thinking about that stuff so it's really nation state breathe it's not some Russian or Chinese doing malware on the dark web it's stuff that is really well designed and it's expected these guys are I've been doing this for like twenty thirty yeah who knows years and they are very good they've really good budgets so they do it and you have to tip them off for days they are good okay they make mistakes everyone makes mistakes but they are

much better than everyone else that's that's the thing and the tools were there and once again it's you have to be curious about things they are dead the opportunity is there because he usually we don't see this stuff in the wild I just start reversing that stuff I wasn't expecting to find anything that was a huge surprise but it's there and everyone was once again everyone was focusing on on exploits and ice Anish on on the tools and and no one is at least looking at at least for now or at least in public looking at the tools so that's an opportunity do you think that we should expect more more of these tools online leaked in the next few

years or it just there is a huge archive on the on that on the Shadow Broker so lots of stuff to reverse these people want projects it's there WikiLeaks start finally leaking code yesterday from CIA so at least we have that guarantee from CIA we are going to see more code from other agencies maybe they have a problem people are leaking why people are liking that's different reason it's educated people have their own reasons but it's very tough to keep this stuff secret we're and especially well from economic point of view the problem is that they are outsourcing most of this stuff and outsourcing people don't have the same level or same dedication level yeah let the internals

and that's one of the problems that they are having that's it which is by the way that's one of the questions I was telling to people we don't know what is what is this about what is the mission about and it's not our role to step in the middle of this fight it's in the middle if our machines are being attacked and posting reverse and for me it's a fair game yeah the tools are probably you can reverse that's it we shouldn't learn from right yeah for me we totally learn because it's great to learn from their mindset what they are doing and to understand because they were presenting the exfiltration from the wireless network who's looking at

their our wireless network not even wired so these backdoors this specific and I say backdoor is difficult to understand to understand that network level if you it's easy if you know what to look for if you don't know it's very it's very difficult so we need people to advance on on this stuff and this is why it's really fun and useful to to reverse engineer these this type of tool one question I have for you is so these tools actually quite bold if you look at the decks are like 2013 years and we can't got to look at you know the carton with these tools how do you think they've been evolving since like do you think because they mess it was

quite constant access plan and everyone you think they've been improving or they cut the states taken from that's a difficult question because they don't know I would Fred make a guess and based on some of the stuff that you see and from knowledge from human biases I will guess they some some parts they are not evolving they are too confident that they are okay other parts they are probably evolving because systems are evolving and so on so it's a wild guess we never be a weak to understand okay what is the the step now we have a starting point we have these archive if there's another one we can see okay the hardest guy is really evolving probable

probably in some stuff and some others now for example they were using the same code of secession code in different tools this is over confidence or from our point of view is over confidence because once you find one you can find others yeah just go to virustotal and you start getting all the samples so that that is a problem and now we also have the CIA leaks if they start coming which is interesting to compare the style of thinking is the CIA better than the NSA probably not is there for example the same contractor trying to do stuff mainly so it's it's interesting to have these leaks from a research point of view from a point of view of being

always say the Internet's hero saving the Internet that's one perspective from from my point of view it's a war that if you want to if you want getting to that war you join them or whatever and you try to to change from the inside but you cannot do that because there's a lot of value for them NSA and everyone else to to do this so what what kind of advice can you give me as a young InfoSec researcher or something I'm still young no but someone that just graduated graduated from school is starting his profession or her profession and then he wants to jump into the bed bandwagon which kind of advice can you give to

that person at the moment looking to this or that particular area you've gotta find a niche find a niche try to find a niche try to look at what people are doing what people are not doing find that niche attack that niche and try to be the best you have if you don't want to be the best then you are never going to be the best and we can be the best and try to do that and then work and also there's look there's always looking life lucky's you know when you're here for example many CEOs saying yeah I know that my story is success most of that is like 80% success and 20 knowledge because it's it's like

that when you hear someone telling stories for example website now my success story by why I did that and if they forgot it's a known human bias defer gods look most of them were lucky they were on the right time okay they step forward on the right time of course stepping forward and doing something is is an important step if you don't do anything nothing will happen but luck is part of it so try to scan the displace info psyches is probably the last job for life everyone is saying there's no jobs for life everything for psyche is or at least for my useful life so totally and you can find a lot of stuff to do try to find that that space

and the dead space once again from an economic point of view that creates value it's all about value if you can create value you can find your space and you can be a rock star researcher really it's you prefer if a second server

show me the money show me the money that's I worries you start seeing the adoption of cyber maybe cyber cyber is easy which even if we don't like it it's maybe a term that people identify with and it's useful you have to most people hey I was at a conference with lots of administrators managers and that was I think fun looking at people's cell phones most didn't have them locked with a password most were probably connecting to Wi-Fi most were using androids that have no update so everything is vulnerable so people are at a conference about security and they are doing insecure stuff if we can use cyber to to change this yeah hey whatever it's a big just

it's just a name yeah alright ok cool well and this is from use my last question you just mentioned that you are looking more into politics and all that so I got asked Russians interviewed with the u.s. election by a cyber yes or no everyone is saying that and that was a personal opinion it's obvious that they did because it's very easy to influence I do that that kind of experiments you can troll people i troll people for for experimentation a lot of people don't notice that it's very easy to to manipulate people in the cyber and you can see these guys you can just login into the any newspaper or around the world you go see the comments and you

see everyone is on rage and so on yesterday you had for example WikiLeaks really CIA is spoofing Kaspersky and the Shana everyone see the case for the u.s. to kick Kaspersky is weak because it's going wrong see because there's no what what CIA was doing it was putting a certificate name and they put Kaspersky there which is obvious if you are trying to to do these guys yourself you're going to use a known stuff because anyone that looks at the certificate sees its invalid but a guy that is distracted looks at that stuff and probably says ok so everything is ok so it's not spoofing but you see the range that a single tweet can kind of provoke

and you see these you need a lot of stuff it's it's it's very easy to manipulate and the Russians under understood this earlier than than everyone else and they they they're the number one John Elliott yeah yeah of course there's good stuff for example that I was saying yesterday about the case of a key that he's dying and he's probably will probably not reach Christmas and so there was some news about people he has people to send him cards Christmas cards so they could do early Christmas and the kid received like 40,000 postcards and gifts I sent him one because hey that's a good stuff from from the internet and the kid was very happy and so on and so

you can do positive things and you can do wrong things it's clear these days that the Russians are leading on on psyops if and if you read history about Russian intelligence they were always good they kicked out all day they drop the race on for example crypto analysis and so on because they were very good at at human intelligence the famous Cambridge five and Phil Kiwi that penetrated the mi5 and so on so they are very good they understand the human being and those kind of operations are about human being and the power of the internet so now if everyone can imitate that process maybe they will try ok thank you very much thanks cheers thank

you wiser thanks