This is the web page for Gianni Tedesco <gianni at scaramanga
dot co dot uk>. By accessing this website, you are agreeing to the terms
of the secret agreement. Refusing these terms indicates acceptance of terms.
These days I am doing commercially motivated work in the SIEM space. In my
spare time I'm working on a high-speed network IDS in
which snort rules are compiled to decision trees and then to x86-64 machine
code and also a small RDBMS for OLAP-style workloads
which makes use of efficient indexes and JIT-compilation of queries.
Before that I spent a brief time working on high-frequency trading of
derivatives. Whenever I get a moment, I've been looking at real-time order-flow
reconstruction from direct-market-access TAQ price feeds. This is sort of the
opposite of what matching engines do. We see new trades and quotes, and we use
this to infer the sequence of operations happening on the customer-side. Doing
this is basically data-cleaning for developing short-term predictions of the
possibility of taking the spread - which is a way of managing risk for
automated market makers.
Before that minor diversion I was a bromide after a stint as a xen hacker. And before that I was mostly working on
smartcard and RFID related
projects and getting pretty interested about the application of temporal logics
to real-time intrusion alert
There are a few projects on my
github page that are not
covered on this site.
I'm also working on some korean language resources for
intermediate learners of the language.
- The snatch Network Intrusion Detection System
- A fast network IDS. It features a decision-tree based rule optimiser
and compiles rules in to x86-64 machine code. Intel's hyperscan is used
for string matching. More info will be forthcoming when I find a bit
more time to write about it.
- Firestorm Network Intrusion Detection System
- A high performance modular network intrusion detection system.
This project has been inactive for a while since my attentions
have been focussed on snatch.
- N.A.D.S. (Normalized Attack Detection System) is an
HTTP normalization library and squid ACL helper.
Data structures and Algorithms
- skunk DB - A write-once query-many database system.
Consists of a query-planner and indexes for append-only
- Roaring bitmaps. An implementation. Coming soon.
- Robin-hood hashing. An implementation. Coming soon.
- Hyper-Log-Logs. Some interesting uses. Coming soon.
- 32bit multiboot OS kernel with virtual memory for IA32 (PC/AT).
- PCI Host Proxy Support for QEMU
- The worlds sexiest PC emulator can now use real PCI devices inside
the virtual machine (while also logging data sent back and forth
across the virtual PCI bus).
- USB Support for QEMU
- I wrote the initial code for USB OHCI emulation in qemu
- CCID Utils
- A USB CCID (smartcard device) driver and interactive shell.
Includes a graphical interface for credit/debit cards based on the
EMV specification and a basic GSM SIM card utility.
- A driver and set of tools for the ACG HF MultiISO RFID reader.
- A language for generating BER decoders. It's different from an ASN.1
compiler in that it's much simpler and it only deals with BER
encoded messages. It is intended for smartcard and RFID applications
where much of the data stored on these devices is, in-fact, BER
encoded TLV data. The language is designed to be very similar to the
template definitions found in the specifications for smartcard and
- An irc based nuclear war game
- An extremely unfair tetrinet bot which will anihilate any competitor
in a (configurably) short span of time. Trash-talk IS included :)
- An online monopoly-playing bot implemeted in python and using numpy.
It used some numerical methods, like eigenvector centrality, to
determine steady-state probabilities for landing on any given square
while playing monopoly. The idea is that it would use these, along with
some basic rules, to play the game. The probabilities could be used to
calculate expected takings and payouts which can be used to inform the
decision of whether to remain in jail (RIJ) or leave jail (LJ) and also
whether a trade is worth taking or not.
- I've had a brief, and lucky, career as a blackjack player. I've written
some code to calculate optimal strategies and to simulate various
card-counting strategies. And also some tools to aid in memorisation of
such strategies, although they'd be better-off employing targetted
spaced-repeition. They do however contain some interesting
representations of the blackjack state-space and basic statistical
concepts. I'll post them here eventually.
- I began a project reverse-engineering the
pokerstars protocol. A number
of technical challenged had to be overcome to do this. Firstly the
protocol is SSL encrypted. I worked around this by using a debugger
and a hex editor to
patch the binary
so that the certificate was not checked. I then developed an
SSL man-in-the middle proxy
and used network address translation to force the pokerstars client to
connect to that rather than directly to the official servers. At this
point I was able to observe the traffic going back and forth between
the client and server. However after an initial exchange of messages,
all communications were compressed. By examining strings in the binary I
guessed that the LZHL algorithm was being used for this. A further
search within the binary for LZHL lookup tables confirmed this. However
I was never able to get my decompressor to work fully. Some of the data
is decompressed fine but for some reason there are "holes" in
the output consisting of all zero bytes. Perhaps some brave soul can
figure this out and apply it to the latest version of pokerstars. This
code is some 5 years old. I have some example log files:
- parses intrushield signatures out of some binary file retrieved from
the appliances disk image. Unfortunately this code is so old
(intrushield is now McAfee Secure something-or-other platform) that I
have forgotten the exact details. But the
output gives you a rough
idea of the time investment and consideration that was put in to the
- Queries websense servers
using WISP. You can also get
tcpdump captures of some
WISP traffic if you are interested.
- Broadcom BCM94306 802.11g Adapter
- Some data logs and information about the BCM94306 card, I was aiming
to write a full specification but the b43 driver came along. I think
they used my data-logs to extract the firmware blob though ;)
- This is a graphical decompiler and reverse engineering toolkit that I
work on now and then. I am developing some patent-not-pending
techniques for retreiving C source code from machine code (as close as
is possible) as well as other things. I have also written an x86
control flow graph generator and a GNOME based binary level debugger
for PowerPC using ptrace. You can see the
main window and
- act.c and
- Allow you to extract data from Symantec ACT! databases. I started
turning the code in to a GUI called fuct.
Code-Fu and Historical Stuff..
- Firewall Monitor (Linux only)
- A firewall monitor for Linux kernels, can dump full packets to
tcpdump files or hex dump to screen.
- Generate prime numbers using Eratosthenes sieve. Implemented using a
bit-vector making it a little less sensitive to cache timings and
- A simple red-black tree implementation. The left and right handed
versions of the various tree rotation algorithms have been folded in
to both-handed functions by using the XOR operator. This technique is
important because the code size is halved meaning more efficient use
of CPU instruction caches not to mention simplicity of implementation.
- A FAST and lean packet sniffer for Linux (mmap() packet socket),
slightly stolen from Alexey Kuznetzov ;)
- A program which generates strong random passwords from the system
entropy pool. Probably pwgen does this just as well these days?
- A program which checks the strength of passwords read from stdin.
Requires cracklib (-lcrack)
- A tool which displays which pages of a file are in the kernels page
cache utilising the mincore(2) system call.
- Adds support for capturing packets in promiscous mode in netfilter
(iptables). I am not sure what sort of nefarious use one might apply
- allows you to specifiy a GID (via. /proc/sys/net/ipv4/tproxy_gid) to
allow access to the linux TPROXY functions. Applies on 2.4.21 +
- hardware SSL acceleration for squid 2.5
- Linux transparent proxy support for squid 2.5
- And for squid 3.0 CVS branch
- Fibonacci string hashing function for squid 3.0 (benchmark it for
- GP32 stuff
- Defunct GP32 utilities...
All the tools I use in my hacking work
- vim - I do most of my
stuff in vim, I find it to be a really efficient text editor for
- I compile all my code with GNU GCC,
a portable C compiler, and use GNU binutils for a linker etc..
- I quite often program in python,
a cross-platform interpreted object oriented language.
- The GNU binutils
are VERY useful.
- I love GNU diffutils for creating
but it's almost a thing of the past now that git has come along.
- I used to use CVS for version control.
It seems difficult to imagine, or remember, now.
- Then I used subversion. These
were truly dark days. Even back then, quilt was a superior alternative.
- But now I use git.
- Qemu is a binary code
translator that pwns vmware for things like reverse engineering all
kinds of shitty hardware.
- KVM is based om qemu and uses VT extention
of your CPU if you have a modern bling computer.
Copyright (c) Spanish Inquisition 1478-1834. All rights reversed.