ISGroup SRL sponsor ESC2k16 – End Summer Camp

From August 31 to 4 September there will be the XII edition of ESC – End Summer Camp, one of the best technical and underground camps in Italy, featuring great talks on Free Software & Open Hardware, Hacking, DiY, Ham Radio and Digital Human Rights. ISGroup joins and supports ESC as sponsor.

Screenshot from 2016-08-29 17:53:41

Teammates at ISGroup were involved in ESC from it’s first editions, so we have a special connection with the camp and the people who make this incredible community!

Screenshot from 2016-08-29 17:53:53

There is still room for donations, so if your company has some spare budget, why not!

Screenshot from 2016-08-29 17:54:41

See you at the camp!

Francesco `ascii` Ongaro

‪@EndSummerCamp #ESC2k16 #hacking #opensource

Conferences, ISGroup

Grappa Hat Aosta 4,5,6 March 2016

We want to thank all the attendees of Grappa Hat, a security conference in Aosta that took place over the past week-end. The mood was relaxing and informal, the city is surrounded by mountains and beauty and we had a chance to meet long-time friends and to make new ones too!

Personally I presented the speech I’m going to bring to the International Journalism Festival ( on 8 April in Perugia, an happening I warmly recommend to anybody interested in Digital Rights, Privacy and, obviously, Journalism ^_^

The talk is titled The lost war on Information Security and it highlights some regressions from the security standpoint that the Cloud paradigm is going to cause:

The lost war on Information Security

It happened, software ate the world, we lost control on our information and security is not better than before.

How to stem organized crime, corporations and governments appetite on data bubbles generated by Cloud computing? What people could realistically do?

We will explore the major indicators of the current state of software security, its evolution over time and how the adoption trend of Cloud solutions affects the confidentiality, integrity and availability of people’s and companies’s information.

Again thanks everybody, me and Andrea enjoined the time spent together! If you need a copy of the slides and you attended Grappa Hat ping me and I’ll happily send you the PDF :)

Need a pointer? 0x414141, LinkedIn or by Tweet

–Francesco Ongaro


Sniffing the innocent (HackItaly outcome #2)

Hack the hacker is fair game at conferences, especially when some ethic and a formative objective is mixed in. If you red the last post you know “who”, “when”, “where” and “why”. Now it’s time for “what”.

This post is about developers who will code the applications of tomorrow, full of bugs of yesterday, injections and logical bugs, wide open to attacks. This is a post about users, who will fill such application’s backends with any sort of personal information. In the meantime somebody enjoyed exploiting the developers of today with last century attack vectors in order to save the unaware users of tomorrow’s available applications. Perhaps.


Aruba networks log parser (HackItaly outcome #1)

Before escaping an high pressure itsec routine with a week of vacation in Mallorca, on 19-21 July I went to a nice meeting in Venice, called HackItaly, on Walter Franchetti’s suggestion. More than an hacking conference it’s a meeting of young Web-2.0/Mobile-App developers. Words apart (and Words matter) there was some nice human capital and I met people who would perfectly fit in a Security Research Team as juniors, if only they were not tying to build a future pulling pants to investors. An you know, especially in the myopic Italy, investors are those who pull pants down to young human material.

Anyway in this jungle of Facebook, API, Responsive CSS, Json and Non-Relational Databases I found somebody who was speaking a language more similar to me, the tech guy of H-Farm, Marco, who was fighting against the crowd to provide a decent service. In the end while everybody was busy developing for the day after contest we spent our night in front of 80×24 xterms, setting up some infrastructure machine, sniffing passwords (no SSL offence, there is still people who does clear-text  auths) and building a syslog server for the Aruba Network infrastructure.

So, here’s a little perl parser for the ugly format sent by these expensive devices to our rsyslogd. It could be easily extended with some “action” callbacks (maybe using ah hash of anonymous functions?). If you ask, i have no idea why Parse::Syslog was not working well with File::Tail, so we had to surrender and use a regexpr (at last  not a POSIX one, thanks Perl/PCRE!).

In the end, if you feel that this development world fall short, why don’t apply to join a security research team? We are USH, an ethical, non-commercial, no-bullshit, under-hype but definitely kick-ass group of individuals. We are the Jargon, we are the Manifesto, and we do hack.