ush.it - a beautiful place

Reflection on Stefano Di Paola

May 29, 2007 at 12:37 am - Filed under Team, Reports, Language EN - 728 words, reading time ~2 minutes - Permalink - Comments

Anurag Agarwal has published a reflection on our friend Stefano Di Paola. The interview contains a condensed auto-biography (nice reading, thanks Stefano!); integral text follows.

When I was 9 or 10 years old, I began to hack my 45 rpm portable record player in order to control the angular speed and play with my childhood songs in a funnier way. Then I realized I didn't know how to remount my opened player, I asked my parents to buy me another one with the promise to not break it again. I kept that promise... or at least for a while. A couple of years later I decided to hack my tape recorder and I succeeded in mixing voice recording while playing music (my mother never knew I recorded my voice on her music tapes).

I started to practice with computer security when I bought a 486 in 1997; I was a student at the Computer Engineering Faculty at the University of Florence. The first thing I read about hacking was about reverse engineering and cracking shareware software protections. It was quite funny but when I managed to install my first linux 2.0 on my PC, the approach and the vision were going to change inside me. I had already worked on Sun Solaris and AIX at the University, but linux was my first Unix love. The research and the study about linux configurations tutorials brought me to Phrack and "Smashing the Stack for Fun and Profit" by Aleph1. The first time I applied all the theory I had learned was when I urgently needed root privileges on a SGI Workstation at the university while I was finishing my master degree thesis. As the sysadmin was sick I decided to get root by myself and accomplish my tasks. After a couple of days I warned the sysadmin about my privilege escalation and I told him how to fix the issue.

It was in 1999 the first time I stumbled upon http://www.fravia.org/ and I was amazed by the quantity of information about hacking old style CGI web pages and search engines. Since large number of web servers where on *nix OS flavors at that time, my background on linux, Sun Solaris and AIX helped me a lot. I realized it was quite easy for me to find flaws on CGI scripts (most of all system execution vulnerabilities). As a consequence of my hacking research activity, I began to think about web application firewalls but since it was early days of web application security and no information on WAF was available on the net, so I gave up. But it was in the 2004 that I decided to work as web application security consultant and released my first public advisory.

I've been working as a freelance in Italy from 2000 to early 2007 then I founded MindedSecurity (an Application Security Company with the mission to build a Center of Excellence on Web Application Security in order to give high quality services).

The full article is available at My App Security, surf on Stefano di Paola's website (fully loaded with webappsec goodies) or the MindedSecurity company portal.

Now that you are in ethic mode why don't read all the "International scenes" articles released on phrack (there's one also on the latest, leaked :), 64 issue)?

Phrack issue 45 file 27 (Argentina by OPii, Australia by Data King, Greece by Opticon)
Phrack issue 46 file 27 (Denmark, Russia by Digital Empiror and Stupid Fucker, Norway by cyber aktiF, Australia by Data King)
Phrack issue 47 file 21 (Norway by Digital Freedom Phanatic, French by NeurAlien, Italy by Zero Uno, Denmark by LE CERVEAU)
Phrack issue 48 file 17 (Sweden by Triad, Brazil by Barata_Eletrica)
Phrack issue 64 file 17 (France by Nicholas Ankara, Quebec by g463, Brazil by sandimas)

THP USH Wisec DigitalBullets