Interview with SirDarckCat
Article written by .mario
This is the first part of a series of interviews with people from the PHPIDS group. Today we are talking with SirDarckCat who helped us a lot in hardening the PHPIDS against complex XSS attacks. Besides few others he showed us what obfuscated JavaScript really looks like and gave us several headaches when fixing the rules against bis attack vectors which you can see here and here. Have fun reading!
Q: Please tell us a little bit about yourself
A: Well, my name is Eduardo Vela, I’m studying Engineering in Computational Technologies at “Monterrey Institute of Technology and Superior Studies”, I’ve been collaborating with some communities, mainly developing tools, documents, and doing some research in security, on the rest of my free time, I play piano, and hang out.
Q: how did you get involved in webappsec
A: Actually, as a need, I first learned HTML like 6 years ago, then I needed more interactivity, and learned JavaScript, then I needed more security, and learned PHP and mySQL, and that’s where I started breaking things, since then, I’ve been working with war games, and pen-testing, my passion is security-related programming, so all the time I’m doing some exploit, researching some vuln, or making some tool.
Q: what color is your hat usually and why
A: My hat?, well, I am mostly white hat, responsible disclosure is the best way to go, it gave me good results on the past, and helping to secure the applications I use, is not a service I’m giving to the vendor, is a service I’m giving to myself, anyway I have to admit that from time to time, I get involved into some black hat projects, white hat is more self-rewarding, and it’s even more fun.
Q: where do you see webappsec in let’s say 5 years
A: The webappsec industry is still under development, (lets say, we aren’t in beta any more, but the release isn’t very stable), new attacks are still being invented, and new types of vulnerabilities and tools for exploiting them, are under development, (that’s for the bad guys), and also, the research on contra-measures is not so developed, today the attacks are superior to the protections, as I see it, we are on the raise of the industry, and in 5 years it should be on it’s most.
Q: what do you think of the PHPIDS and related projects
A: I’ve needed to deal with Apache’s mod_security and mod_rewrite rules, (and some php-based attack detections scripts, and a lot of really bad filters) that are extremely easy to bypass, they create an illusion of security to admins, that doesn’t really exist, it’s very important to create real tools (created by hackers, not webmasters), and phpids is one of the few that actually gives developers the ability to deal with real attacks.
Q: Thanks a lot for the interview!
This entry was posted
on Saturday, September 1st, 2007 at 12:54 am and is filed under PHPIDS.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
