Latest News
Here are the latest news related to my professional work
I have just added support for personal articles on my website. After several years of gradually publishing in different sources, I have decided to unify the creation of articles on my own website. This idea was born out of curiosity about Gatsby's support for markdown article processing, as I needed this same functionality for a project in my current job. I couldn't be happier with the result, and although I publish very occasionally, I hope you like this new change. If you wanna know how I implemented this feature, I wrote a post about how I developed it.
This August I gave a talk at DevConf, which unfortunately I could not attend due to scheduling issues. The topic of this talk was about how we implemented High Availability in the first release of the OpenShift AI service and learned from some of the mistakes we made along the way. Overall it was a good experience and I hope that in the next edition I will be able to attend in person and meet many colleagues.
After many reviews, I think I can deploy another of my side-projects in which I've been working on for the last couple of weeks. This is an Android port of my personal webpage. The style mimics the new Material You and the core components are based on the modern Android Architecture pattern with MVVM, Room, Retrofit, Kotlin... I'm planning to add new features such as new Widgets, dynamic colors, ARCore, and other cool Android frameworks in order to expand my knowledge of this platform.
There is no much time left to start the Master's Degree in Full Stack Development of Three Points with Collaboration of the UPC. The main goal of this Master is to provide a general vision of the Full Stack Development to a manager o director profile. That is why, on top of the technical concepts, the students will learn to analyze all the software development stages, in order to face all the technical difficulties that might appear with a low level understanding of the situation. All the professors are top professionals in their respective careers and they gather both technical and managing experience in order to deliver the best possible content. I am very thrilled for the beginning of the new course and I hope all the students will be satisfied with the result.
I've redesigned my webpage. It's a migration from Angular to React in the front, using Gatsby with SSR in order to improve the speed and responsiveness of the web. In this version I've focused my attention in the visual part, this web has now more interactive elements, animations and better graphics. It's still a Work In Progress but I hope you will like it. Bye! 👋
The video of the workshop about Digital Identity, OSINT and Metadata I delivered at University Rey Juan Carlos has already been published. In this workshop I talked about different techniques that can be performed with public information about a target, and I did some PoCs with four tools developed in Telefonica with the goal of raise awareness about the misuse of information. These four tools are Dirty Business Card, targeted to OSINT and Digital Identity, FOCA, that manages all the Metadata of a given domain, Air Profiling to profile the navigation of a phone and Airdrop Crazy to scan the environment to find Apple devices. We had fun talking about all the modern threats that we could face on the Internet and how we could avoid some attacks. Have fun ;)
A few weeks ago, I was invited to h-c0n the Hackplayers' conference. Despite some problems with some PoCs, we have a really great time, I talked about one of the researches we've been working lately about all the risks around BLE & Airdrop in Apple devices. This research is not new, I posted here the Codetalk for Developers' video in which we dove into all the features, implementations and PoCs of this tool, such as the positibility to intercept phone numbers, OSINT capabilities to extract more info of the victim and the BLE scan of the surroundings. Here you have the slides (clicking in to the card) if you want to check the main points of the talk and get all the resources and PoCs I used.
Today, after several months of preparation, I can show the first video of Don't Push That Button. Don't Push That Button is a dissemination channel (with the intention of being cross-platform) where you can post videos related to various branches of computing. All this came after reviewing my notes from my Computer Science's Degree, many of the things were very useful but I had not assimilated them well due to the rush and lack of overview. So my goal is that after watching each video, a person ends up knowing a little more about a technological topic and who knows how to relate it to other concepts.
Airdrop Crazy, the first of the 12 tools that the Crazy Ideas team wants to present in the next 12 months, is now released. This tool is based on the research conducted by the Hexway team in which they discussed a way to identify the status of devices through BLE ad packages. In addition, they also managed to see that in Airdrop the devices are enunciating the hash of the personal number to distinguish between friends and strangers. Based on this we have created a service and an app and we have taken the investigation to a new level, I hope you like it.
Check out the post that I've written in "Elladodelmal" that I made based on the research made by Security Researcher Labs team. This demo, in addition to being very attractive, is really easy to get, in just 20 minutes and without the need for writting code it is possible to mount a similar scenario. For more details I leave the link of the article where everything is explained in depth.
Yesterday we finally managed to launch the Safepost update for iOS 13. Among its main innovations, it lives up to its counterpart in iOS with the dark mode that is so fashionable today and brings a series of improvements adapted for iOS 13 and the resolution of certain bugs.
Some time ago we recorded a video with the intention of creating a new broadcast series within Telefonica focused on the research we carried out at Ideas Locas, and it seems to have been well received. In this first video we talk about a health-oriented technology, photoplethysmography. This technique allows heart rate to be measured accurately and with cheap hardware, which is why it is currently used in a wide variety of devices. Continuing with the article, we also mention the ability to represent the electrical activity of the heart thanks to the new one-point electrocardiograms incorporated in smart watches.
We can finally show this tool to the public! Business Card Reader is an OSINT tool with a robust plugin system that already has advanced modules and allows, with little data, to obtain all the possible information about a person. The tool was developed for the past Security Innovation Day and we recently took it up strongly, improving both the internal operation and the plugins. The infrastructure, as explained in the video, runs on a Docker with two containers, one with an nginx to handle requests and the web and the other with a back end flash. I hope you like it a lot, we have dedicated a lot of effort to both the tool and improving the Codetalk format and little by little the fruits of that effort are being seen.
I just gave a Webinar at LUCA on OCR, the Artificial Vision technique that consists of extracting text from an image. In 40 min I expose the underlying technology, the most popular Data Sets, cloud services that incorporate this technique and how to mount from 0 a webapp that extracts data from a business card. I leave the link to Chema's article on the Webinar where everything is explained.
A few months ago I participated with my former classmates Santiago Hernandez and Javier Gutierrez in the Cybercamp Hackathon. It was a very intense few days but we managed to implement a minimally functional service for the security government of an SME. In just a couple of days we got an infrastructure with equipment and traffic analysis through Osquery, analytical rules based on Machine Learning and a virtual assistant in Action format from Google Home together with the App for Android. We were not in the top three but in my opinion we developed a fairly complete project that could reach an important service.
Stack Sms is a project that we have been working on at Ideas Locas for a while. The basic concept is to give capabilities similar to the TCP stack in the GSM network through SMS. In addition we can encapsulate other protocols on top of Stack Sms to suit multiple needs.Fran, a workmate from Ideas Locas has written an excellent article explaining the protocol a bit, how to download it and useful use cases. It is a rather unique project and worth checking out, so I encourage you to read the article and go to the official Github.
I've uploaded the articles from El Lado del Mal about the exfiltration module that we had to do for our TFM of the European Cybersecurity Master. The idea is cool, and incorporates a custom Latch library for iOS in Swift. There is also talk of some interesting app like Pythonista and how to create extensions from the application itself. I hope you like it!
I've developed a new website, where I will be posting articles, projects and materials related to the research and developments in which I participate. This page is created in Angular 9 and is compatible with the PWA standard, so it can be used as an app on both iOS and Android. At the moment the website will consist of four sections, one of introduction where I will put small updates with news, one about personal information, another about projects carried out and finally one with written articles. It is not a fixed structure, it may change if I am not convinced of the layout, but at the moment it seems like a good distribution. We begin this experiment that I hope will be successful.
