Tuesday, November 20, 2018

"Don't you build your own tools? If not, why not?"

In a recent issue of the Doctor Strange comic book, the good doctor is asked a question by the weapon forging Dwarf Eoffen. "Don't you build your own tools? If not, why not?". The question is one framed by an expert from one generation talking to another about their skills and experience. 

Doctor Strange, where are your tools?
A colleague brought up the point that some of these large toolsets and frameworks were written by experts( "wizards"/"sorcerers") who invested so much of themselves in the tools they built and it's a sign of respect to associate the names. While related this is not the issue(e.g. Fydor will always be tied to nmap, Ilfak to IDA Pro).
(Doctor Strange (2018) #4)

Building your own Tools

I ask a form of the question the Weapon Master Eoffen asks Doctor Strange at interviews. That and whether you like puzzles. Much of malware analysis and reverse engineering is puzzle solving.  In CTF challenges or cracking software protection you're trying to figure out how your opponent is trying to fool you. Eventually you get good at solving the simple challenges and breaking simple ciphers. Then you start upping your game, doing more research, and building your own tools.

Why? Because your opponent knows what you do and what's in your toolset. After all you're both in the same business. We know the strengths and more importantly the weaknesses of our standard tools.


I like to say that every Windows reverser eventually writes their own PE dumping tool. It can be applied generally to any platform and its executable or other formats. Not only does building our own tools give us a deeper understanding of what we're studying but it gives us alternatives when the Standard tools fail or are disabled.

Training
I received some of my earliest training with professional tools, some of which are as outdated or outclassed as the spells used by Doctor Strange. Tools built and designed by others. Can we write the same tools? We may not all develop some of the larger scale tools or frameworks("Spell Books") but eventually we all make our own special purpose tools. Colleagues, even those who claim they don't  "code" or program still end up writing their own tools, using everything from full fledged programming languages to bare-bones shell scripts.

On my first foray into the antivirus industry my mentors trained me by throwing a bunch of malware at my desk and my machine. My only tools a system level debugger, some DOS floppies, a modified hex editor, a DOS & BIOS function/interrupt reference, and a notepad. It did teach me that those last two would be my best and first tools. As we entered the Windows era, something like that would be counterproductive. These days I would modify the initial toolkit, but it would still involve teaching my charges how to take notes and trust their intuition.

Of course we build our own tools
In the end Doctor Strange, former surgeon and the Sorcerer Supreme of Earth, arguably a professional user of and Subject Matter Expert on all things Magic must utilize his knowledge and experience to craft his own mystical weapon/tool the "Scalpel of Strange".  Did it do everything he needed to do? No. It did allow to him to complete the task at hand. Was it a reflection or implementation of his experience, attained knowledge and intuition? Absolutely.

It's ok to trust the standard tools. Don't leave everything to them. Do trust in yourself and your own tools.

Protecting the ‘Metaverse ecosystem’…: Openness is healthy

Meta’s Reality Labs has an opening for “Malware Reverse Engineer” . Not an uncommon role, but this particular one is a bit more specific whe...