Title: Aquynh's conferencewares
Date: 2021-01-09 17:00

There is a great article from 1994 by Robert A. Prentice and John H. Langmore,
entitled [Beware of vaporware: product hype and the securities fraud liability
of high-tech companies](
http://jolt.law.harvard.edu/articles/pdf/v08/08HarvJLTech001.pdf ) detailing
what a vaporware is. A conferenceware is a subclass of vaporware, specially
tailored to pass [calls for
papers](https://en.wikipedia.org/wiki/Call_for_papers) to speak at various
high-profiles conferences.

A specialist of this practice is [Nguyen Anh Quynh](https://github.com/aquynh),
but he's not the only one.

Even though he's responsible for a couple of really amazing software (like
[capstone](https://www.capstone-engine.org/),
[unicorn](https://www.unicorn-engine.org/), [qiling](https://www.qiling.io/)
and [keystone](https://www.keystone-engine.org/)), there are still a couple of
them for which we're still waiting.

## OptiSig

In 2013, he presented [OptiSig: semantic signature for metamorphic
malware](https://paper.bobylive.com/Meeting_Papers/BlackHat/Europe-2013/eu-13-Quynh-optisig.mp4),
at Blackhat Europe 2013, and said at 00:52" that the software would be "Deployed
as an independent toolset for malware analysts". Yet no code nor deployment has
ever been seen.


## OptiCode

Also in 2013, he presented [OptiCode: Machine Code Deobfuscation for Malware
Analysis]( http://www.data.proidea.org.pl/confidence/11edycja/NGUYEN_Anh_Quynh.pdf#page=39)
at Confidence, and mentioned on slide 39:

> Web Interface + IDA plugin

> Will be available to public at http://opticode.coseinc.com


He did the same talk, [OptiCode: Machine Code Deobfuscation for Malware
Analysis](http://www.data.proidea.org.pl/confidence/11edycja/NGUYEN_Anh_Quynh.pdf)
at SysCan SG, Apr 2013. with the same "Will be available to (sic.) public at
http://opticode.coseinc.com"

Apparently, "available to public" means a [web interface](
https://web.archive.org/web/20151109151228/http://opticode.coseinc.com/ )
only available for a couple of months, but no source code nor any IDA plugin.


## OptiROP

In 2013, he presented [OptiROP: Hunting for ROP gadgets in
style](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-Slides.pdf)
at the Blackhat USA, and mentioned on slide 64:

> Will be freely available to public soon

In September 2014, he presented the same tool again, this time at
[syscan360](https://www.slideshare.net/daniel_bilar/2013-syscan360-nguyenoptirop-hunting-for-rop-gadgets-in-style) in Beijin.

Apparently, someone [asked him]( https://twitter.com/teh_h3ck/status/734007527109713921 )
in 2016 about publishing the code:

> I have contacted the author some months ago and he responded that the
> software belongs to his company, so it won't be released.

Moreover, a researcher from the EPFL got a [negative answer]( https://hexhive.epfl.ch/publications/files/16STM.pdf ) as well:

> OptiROP and Q are not publicly available and also were not made available to us upon request.


## Skorpio

In 2017, he [presented](https://www.youtube.com/watch?v=8pPo5ubKxW8) [Building Advanced Coverage-guided Fuzzer
for Program Binaries]( https://2017.zeronights.org/wp-content/uploads/materials/ZeroNights2017-darko-fuzzer.pdf )
at Zeronight, mentioning that "SKORPIO engine will be released to public in near future".

In 2018, he presented [Skorpio: Advanced Binary Instrumentation Framework](https://github.com/comaeio/OPCDE/blob/master/2018/Emirates/Skorpio%20Advanced%20Binary%20Instrumentation%20Framework%20-%20Nguyen%20Anh%20Quynh/Opcde2018-skorpio.pdf) at OPCDE Dubai, and mentioned on slide 29:

> Open-source, cross-platform-architecture

The same year, he [presented](https://www.youtube.com/watch?v=BGqkfKV1KFk)
[Virtualizing IoT With Code Coverage Guided Fuzzing](https://conference.hitb.org/hitbsecconf2018dxb/materials/D1T1%20-%20Virtualizing%20IoT%20With%20Code%20Coverage%20Guided%20Fuzzing%20-%20Lau%20Kai%20Jern%20and%20Nguyen%20Anh%20Quynh.pdf) at HITB2018DXB, against featuring Skorpio,
but this time without mentioning that it will ever become public.

He also presented it at [Hack in the box,
Beijing](https://conference.hitb.org/hitbsecconf2018pek/materials/D2T1%20-%20Finding%200days%20in%20Embedded%20Systems%20with%20Code%20Coverage%20Guided%20Fuzzing%20-%20Dr%20Quynh%20and%20Kai%20Jern%20Lau.pdf),
again no mention about a possible release.

He also presented at Brucon,
[Finding 0 Days in Embedded Systems with Code Coverage Guided Fuzzing](http://files.brucon.org/2018/08-Quynh-Lau-Finding-0Days-In-Embedded-Systems.pdf),
again without mentioning that Skorpio will ever become public.

To this day, we're still waiting.


## Monocerus

In March 2019, he presented [Dynamic analysis for Ethereum smart
contracts](https://www.blackhat.com/asia-19/briefings/schedule/#monocerus-dynamic-analysis-for-smart-contract-13910) at Blackhat asia 2019,
saying "Open source with permissive license." in the abstract,
yet the [github repository](https://github.com/groundx/monocerus) still says 
"To be publish in early April 2019 - stay tuned".

## Redback

[Redback](https://groundx.io/redback/) was presented at [Blackhat Asia
2020](https://www.blackhat.com/asia-20/briefings/schedule/#redback-advanced-static-binary-injection-18660),
the talk summary saying "Redback will be released after our talk, with full
source code.", yet nothing was released.

# So what?

The information security world is full of [bogus products](
https://twitter.com/dwizzzleMSFT/status/1344423857826922496 ),
[plain stupid claims]( https://www.schneier.com/blog/archives/2019/09/the_doghouse_cr_1.html ), [charlatans](
http://attrition.org/errata/charlatan/ )  and
unreproducible clickbait [pseudo-science](|filename|/paper_notes/osint_analysis_tor_foundation.md).
We need to do better than this as a community, especially on those time of
massive technology-powered attack campaigns, not only on
[infrastructure](https://www.schneier.com/blog/archives/2021/01/russias-solarwinds-attack-and-software-security.html),
but also on global [social systems](https://www.schneier.com/blog/archives/2020/11/undermining-democracy.html):
demand [science](https://en.wikipedia.org/wiki/Scientific_method), not faith.

The [acm](https://en.wikipedia.org/wiki/Association_for_Computing_Machinery)
has an interesting [Artifact Review and Badging
policy](https://www.acm.org/publications/policies/artifact-review-and-badging-current),
it would be nice to see more initiatives like this.

<!--
# Others

While Nguyen Anh Quynh is the most obvious presenter of vaporwares, he isn't the only one in the infosec world:

- [Sol[IDA]rity](https://solidarity.re/) was
[presented](https://solidarity.re/docs/RECON2016-Solidarity.pdf) at RECon 2016,
with the "future" section of the talk mentioning "Beta soon™", but we're still waiting.
- [Cantor Dust]( https://sites.google.com/site/xxcantorxdustxx/about ) was presented at the [Recon 2013](­https://recon.cx/2013/slides/Recon2013-Christopher%20Domas-The%20Future%20of%20RE-Dynamic%20Binary%20Visualization.pdf), and never published,
albeit 8 years later, its successor, in the form of a Ghidra plugin, was
[published](
https://inside.battelle.org/blog-details/battelle-publishes-open-source-binary-visualization-tool
).
- Éric Filiol broke [AES several times]( https://eprint.iacr.org/2003/022.pdf),
	and still continues to [publish bullshit](
	https://dustri.org/b/debunking-osint-analysis-of-the-tor-foundation-and-a-few-words-about-tors-directory-authorities.html).

Feel free to send me an [email](https://dustri.org) if you have names to add to
this list.
-->