Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Aquynh's conferencewares
Sat 09 January 2021 — download

There is a great article from 1994 by Robert A. Prentice and John H. Langmore, entitled Beware of vaporware: product hype and the securities fraud liability of high-tech companies detailing what a vaporware is. A conferenceware is a subclass of vaporware, specially tailored to pass calls for papers to speak at various high-profiles conferences.

A specialist of this practice is Nguyen Anh Quynh, but he's not the only one.

Even though he's responsible for a couple of really amazing software (like capstone, unicorn, qiling and keystone), there are still a couple of them for which we're still waiting.


In 2013, he presented OptiSig: semantic signature for metamorphic malware, at Blackhat Europe 2013, and said at 00:52" that the software would be "Deployed as an independent toolset for malware analysts". Yet no code nor deployment has ever been seen.


Also in 2013, he presented OptiCode: Machine Code Deobfuscation for Malware Analysis at Confidence, and mentioned on slide 39:

Web Interface + IDA plugin

Will be available to public at

He did the same talk, OptiCode: Machine Code Deobfuscation for Malware Analysis at SysCan SG, Apr 2013. with the same "Will be available to (sic.) public at"

Apparently, "available to public" means a web interface only available for a couple of months, but no source code nor any IDA plugin.


In 2013, he presented OptiROP: Hunting for ROP gadgets in style at the Blackhat USA, and mentioned on slide 64:

Will be freely available to public soon

In September 2014, he presented the same tool again, this time at syscan360 in Beijin.

Apparently, someone asked him in 2016 about publishing the code:

I have contacted the author some months ago and he responded that the software belongs to his company, so it won't be released.

Moreover, a researcher from the EPFL got a negative answer as well:

OptiROP and Q are not publicly available and also were not made available to us upon request.


In 2017, he presented Building Advanced Coverage-guided Fuzzer for Program Binaries at Zeronight, mentioning that "SKORPIO engine will be released to public in near future".

In 2018, he presented Skorpio: Advanced Binary Instrumentation Framework at OPCDE Dubai, and mentioned on slide 29:

Open-source, cross-platform-architecture

The same year, he presented Virtualizing IoT With Code Coverage Guided Fuzzing at HITB2018DXB, against featuring Skorpio, but this time without mentioning that it will ever become public.

He also presented it at Hack in the box, Beijing, again no mention about a possible release.

He also presented at Brucon, Finding 0 Days in Embedded Systems with Code Coverage Guided Fuzzing, again without mentioning that Skorpio will ever become public.

To this day, we're still waiting.


In March 2019, he presented Dynamic analysis for Ethereum smart contracts at Blackhat asia 2019, saying "Open source with permissive license." in the abstract, yet the github repository still says "To be publish in early April 2019 - stay tuned".


Redback was presented at Blackhat Asia 2020, the talk summary saying "Redback will be released after our talk, with full source code.", yet nothing was released.

So what?

The information security world is full of bogus products, plain stupid claims, charlatans and unreproducible clickbait pseudo-science. We need to do better than this as a community, especially on those time of massive technology-powered attack campaigns, not only on infrastructure, but also on global social systems: demand science, not faith.

The acm has an interesting Artifact Review and Badging policy, it would be nice to see more initiatives like this.