Meet Tomé Duarte

image

Tomé Duarte is a web engineer consultant with 10 years of experience. He will be at Porto Summer of Code talking about web security, by giving a workshop on penetration testing of real-world apps.

Tomé Duarte, Web Engineer Consultant

Hi Tomé! Glad to have you with us. Could you please tell us where you’re from, where you live now, and how you got there?

“Hi! :)
I’m originally from Porto, Portugal, where I grew up and went to college.
I did a short stint living in Brazil for a couple of months, in the lovely city of Vitória, ES; I quite enjoyed it, but my love for Porto brought me back to live there.”

How does your typical day look like?

“I believe in the power of habit [1] and follow a routine, rolling with the punches when appropriate.
My sleep schedule varies depending on what timezones I’m working with at the moment, but essentially my days go like this:
  • wake up, have an espresso and 0.5L of water
  • ~20min morning exercise and 10min meditation session
  • by this point, I’m fully awake
  • get ready, have some oatmeal or lunch (depending on time of day)
  • get out and take care of random life stuff
  • get to the office, start a podcast playing and achieve inbox 0, with an approximate GTD method; everything is either:
  • replied to
  • snoozed for an appropriate date/time
  • processed into either a task on my moleskin notebook or a note on a client’s trello card
  • get my pen & paper out and quickly review week workload / on-going stuff
  • (recursive) pick the next task, start Toggl and Magic Work Cycle, and go at it; I use a variation of the pomodoro technique, with longer stretches for focused technical work
  • get out of the office by dinner time
  • go for a run or a swim, if I’m in the mood
  • cook something good (I love to cook) and enjoy it!”
1: https://www.goodreads.com/book/show/12609433-the-power-of-habit

“Portugal has some world-class security professionals and organizations, and there has been some very good work done in the last few years.”

We have to ask ? In your opinion, how safe are our critical systems? Should we expect something major to be hacked in the near future? Or are we watching too much Mr. Robot?

“Well, that’s a difficult question to answer without actually trying to hack them, isn’t it? :) Seriously, though, the answer lies outside of technical analysis.
Portugal has some world-class security professionals and organizations, and there has been some very good work done in the last few years, both to lock down critical systems and general security improvements. It’s not possible to be “100% safe”, but we’re making good headway.
I think it’s important to remember John Gall’s law [1] when thinking about this:
“A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over, beginning with a working simple system.”
So, let’s break these down into some key infra-structures:
  • government central systems: overall progressing in the correct path, still some hiccups of course. It’s a very large mix and legislation, data privacy and related considerations are all factors into both decision making and speed.
    Projects also must be publicly bid most of the time, as it is taxpayers money being spent. Very difficult to ensure the IT parts of project development are security conscious
  • legal/judicial systems: there was a big mess recently with citius having a public meltdown and we haven’t fully recovered; it’s still under the spotlight and too soon to tell if it’ll be safe longterm
  • power generation, etc: I have no visibility into those; no idea!
  • banking: the basis for Portuguese banking technology systems was COBOL. Sad thing is, it still is! There’s a lot of wrapping with modern technologies and quality development, but some of the core legacy systems have been in place for decades, with tweaks every few years.
    E-banking is common and generally safely deployed, with an effort to make it very safe (token cards, etc). We also have some fantastic things like safe virtual credit cards (MBnet)!
  • local municipalities and councils: certainly undervalued. They’re usually responsibility of local resources, although somewhat constrained by central ruling (as far as I know). Security varies greatly from one to the other: there’s excellent and awful
  • private figures: the only one that comes to mind is the political parties local headquarters. Similar to local councils: there’s been some public defacing that hit the news some years ago, but it doesn’t really impact our lives
  • FCCN / DNS / RCTS / Local Public School Systems: the core of our “Internet” development has always been academia and education systems. Good work overall, with some hiccups along the way
To conclude, it’s also important to understand the Portuguese ecosystem: since the 80s, we have had some of the very best hackers and hacking crews, even if mostly low profile. We’ve also had some vocal hacktivism, including the remarkable Timor-Leste hacks [2], and this wouldn’t be complete without mentioning AP2SI[3] and BSides Lisbon[4].”
1: https://en.wikipedia.org/wiki/John_Gall_(author)#Gall.27s_law
2: http://hackstory.net/ToXyN#The_Portuguese_Scene
3: https://ap2si.org
4: http://www.bsideslisbon.org

Wow, so much information! A personal question now: when did you get your first computer? How did it feel like?

“I was lucky to have a big brother that wanted to be on the edge of technology. :D
My first computer was a 286 CPU model, which I shared with my brother. It was overclocked for a while before upgrading to an ultra-fast (at the time) 486! I started out typing commands I didn’t understand in MS-DOS, and sometimes booting windows 3.1 for some stuff.
The first computer that I owned was a Toshiba laptop, when I got into college. I had it for 5 years, running from WinXP to Slackware, PC-BSD and finally Gentoo GNU/Linux.
One thing that completely changed my life was access to the Internet very early on. The ability to get online and “surf the web” as teenager was what led me to find security wargames and diving into programming and network security.
Actually, I remember one of the first times I used Google was to search for C programming tutorials, back in high school. Before that, all we had was Yahoo!, Altavista, Astalavista and our very own SAPO!”

How old were you when you first “hacked” something? Can you tell us what it was?

“I guess it depends on your definition of hacking:
  • wargames: I was heavily into these between ages 14–17. I still play some for fun and toying with new tech, from time to time!
  • live systems: started with some toy stuff at 15; actual securing an initial foothold all the way to continuous anonymous access, probably 18 or 19
  • first private disclosed vulnerability: 2007, IIRC
Wargames
I really enjoy wargames. I started with “hack this site” [1], and moved on to more complex stuff like “root this box” (now offline), “smash the stack” [2] and “over the wire” [3].
There’s plenty of other good stuff out there, too.
Live systems
The first time I remember was actually really basic stuff branched out off of some Google Dorks (from johnny.ihackstuff) to find vulnerable systems. A couple of things I enjoyed most were printers (to store exploit code) and webcams (just for fun).
Over time, as I learned to protect and defend systems, I started to learn more about rootkits, how to hide actions and how to counter-measure those issues.
Another big milestone for me was learning the ins and outs about networking, protocols and “tracing” so I could understand where attacks were coming from and how to jump hoops to either be difficult to trace or to find the source of an attack.
Important disclaimer: I do not advocate or condone hacking systems without previous authorization. If you’re doing it, make sure you’re prepared to face the consequences.
Vulnerability disclosing
The first vulnerability I remember finding and disclosing a local file inclusion on a custom made PHP CMS. I sometimes randomly click to view-source on websites and poke around; we all do, right? Right?..
I stumbled upon a website with an URL that included something like page?id=home, which peaked my interest; turns out I could see other files in the system, and eventually get a webshell on the server.
As it happens, it was a custom CMS a webshop sold to clients. I contacted them and disclosed the vulnerability.”
1: https://www.hackthissite.org
2: http://smashthestack.org
3: http://overthewire.org/wargames

“I sometimes randomly click to view-source on websites and poke around; we all do, right? Right?..”

We have a lot of students in PSC. Is there something you’d tell them that could help them immensely starting out their careers?

“Don’t be afraid to try, and don’t come up with excuses not to.
When I got into college, I already knew how to program in 5 programming languages, had spent some time working on game development and was learning all about IT security. During college, I was building things by my second year that I would learn a few years later if I followed the curriculum.
Learn by doing, building and breaking. Study what peeks your interest, and never from a single source.
The Internet has a lot of information. Be keen on educating yourself!”
Like what you read? Give Make or Break Team a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.