You may know Alexander Peslyak better by another name: Solar Designer.
Under that name, he’s led the Openwall project for over 20 years, producing state-of-the-art cybersecurity software and tracking down some of the biggest security vulnerabilities in history.
Stay One Step Ahead of Cyber Threats
And though his world-class talents could have landed him a cushy job at any tech giant, Peslyak has instead dedicated his life to independent discovery, open-source innovations, and digital freedom for all.
What Is the Openwall Project?
The Openwall Project is a community-focused initiative dedicated to enhancing cybersecurity through the creation and distribution of open-source software. Launched by Alexander Peslyak, also known as Solar Designer, it produces security tools for system administrators and general users. Its notable contributions include Openwall GNU/*/Linux, an operating system designed for security, and the John the Ripper password cracker. Openwall also provides guidelines for secure programming and various other tools aimed at improving system security.
Alexander Peslyak at a Glance
Soviet-born Alexander Peslyak began programming with pencil and paper at age 12, after a childhood spent experimenting with electronics.
In 1994, he adopted the alias “Solar Designer,” a name that’s since become iconic in the cybersecurity community.
Peslyak released the revolutionary John the Ripper password cracker in 1996, and it soon became the most popular software of its kind.
Throughout the ’90s and ’00s, Peslyak discovered numerous groundbreaking exploits, specializing in insidious buffer overflow exploits.
Peslyak founded the Openwall Project, an organization dedicated to free and secure open-source software, as well as its for-profit counterpart, Openwall, Inc.
He also created the Openwall GNU/*/Linux OS, a secure server OS whose components made their way into many major Linux and BSD releases.
The Life of Alexander Peslyak
Alexander Peslyak’s Early Life
Born in modern-day Russia in 1977, Alexander Peslyak was always interested in electronics.
Some of his earliest memories, he says, are of tinkering with electrical circuits, often irresponsibly. After finding some Soviet radio equipment near a dumpster in the ’80s, he began modifying radios to listen to foreign stations.
Peslyak was soon modifying everything from simple calculators to discarded Soviet mainframe boards. In 1989, he was able to access computers periodically, spending the time in between sessions writing and debugging code on paper.
By 1992, Peslyak had developed a mastery of the BASIC, Fortran, x86 ASM, and Pascal programming languages. He had also created his own integrated development environment (IDE), again using pencil and paper, in which to write his code.
From 1992 to 1996, Peslyak worked for several software companies, developing anti-piracy measures, creating user interfaces, and translating legacy software to newer systems. And in 1994, he adopted a new name: Solar Designer, or solardiz for short, a “meaningless” handle he used to post on a forum where real names were discouraged.
Meanwhile, he continued working on his own programming projects, one of which would earn him more acclaim than he ever thought possible.
John the Ripper
In 1996, Peslyak released a revolutionary piece of software: the John the Ripper password cracker.
One of the first of its kind designed for Unix systems, John the Ripper was incredibly versatile. It could test password strengths, detect password hash types, and crack passwords using both dictionary attacks (which iterate through a predefined list of passwords) and brute-force attacks (which try every possible combination of characters that fits the password requirements).
What’s more, John the Ripper was free and open-source, whereas most similar tools were expensive and/or only available to certain types of users.
It quickly became the most popular password cracker, especially among cybersecurity students and those opposed to proprietary software. Today, it’s the 10th most popular cybersecurity tool ever created.
Solar Designer’s Exploit Discoveries
1997 was another fruitful year for Peslyak. He published two exploits that were each the first of their kind: the first Windows buffer overflow exploit, and the first “return-into-libc” buffer overflow exploit for Unix systems.
Both worked in similar ways. Peslyak found that if certain buffers (temporary data storage areas) were overloaded, the excess data would be sent to other memory stores and processed inappropriately — and if that data happened to be malicious code, the system could be compromised.
Though these types of attacks had been discussed as hypotheticals, nobody had yet identified a real one. Peslyak’s dual discoveries were groundbreaking — and he wasn’t done yet.
That same year, Peslyak created the Linux kernel’s first non-execution memory protections, designed to prevent buffer overflow attacks. Developers soon created more elaborate patches based on Peslyak’s original for Linux, OpenBSD, and even Windows.
The Openwall Project
In 1999, Peslyak founded the Openwall Project, the new home of his free cybersecurity software projects and research. In addition to hosting his software, Openwall provided a community space for programmers to make existing software more secure.
The following year, Peslyak embarked on his most ambitious project yet: Openwall GNU/*/Linux (Owl for short), a security-centric server-oriented operating system based on Linux and GNU.
Peslyak observed that most operating systems, including most so-called “secure” Linux distributions, took a reactive approach to security. They patched vulnerabilities as they were discovered, but they didn’t take proactive measures to prevent vulnerabilities in the first place.
Owl was designed to be ironclad from the start. Peslyak put his extensive knowledge of exploits to use, packaging the OS with only the most secure software and preemptively fixing even the smallest security holes.
Meanwhile, he continued hunting for exploits in other software. Most notably, he discovered the first generic heap-based buffer overflow exploit, a difficult but dangerous vulnerability that earned him accolades — and a bug bounty — from Netscape and AOL.
Solar Designer Hits the Big Time
Throughout his career, Peslyak had found that many of his discoveries were initially met with skepticism.
His “return-into-libc” buffer overflow exploit, for instance, was first posted to little fanfare, only making waves months later. And his non-execution memory protections for Linux were originally rejected by the kernel’s maintainers before eventually being embraced.
But throughout the 2000s, this began to change. Various Linux distributions, as well as other Unix-like OSes like FreeBSD and OpenBSD, began incorporating software from Owl into their new releases.
And in 2003, Peslyak brought his talents to the corporate world with the formation of Openwall, Inc. This new company provided security audits, consulting, system administration, and custom open-source enterprise software.
In 2005, Peslyak’s new software, phpass, debuted on the Openwall Project. It provided a more secure way to hash (scramble) passwords in PHP web applications.
This, too, was quickly adopted by many different applications. By 2007, phpass was integrated into the world’s most popular PHP-based forum and blogging platforms, including WordPress, Drupal, and phpBB.
Solar Designer, Security Sage
In 2008, Peslyak was asked to be on the advisory board of the newly formed Open Source Computer Security Incident Response Team (oCERT), a coalition dedicated to providing security support and coordination for open-source software projects.
The group was the first of its kind, and over its 9 active years, it advised the community on 61 different vulnerabilities, including many entirely new classes of exploits.
Also in 2008, Peslyak cofounded oss-security, a public mailing list and knowledge base for discovering, disclosing, and discussing open-source software vulnerabilities. He also co-founded its counterpart, distros, a private mailing list used by OS developers and maintainers to coordinate responses to new exploits.
Meanwhile, the name “Solar Designer” became a common sight on lists of speakers at hacker conferences like CanSecWest, HAL2001, NordU, and FOSDEM. In 2009, he received a lifetime achievement Pwnie Award, one of the most prestigious cybersecurity honors, at the famed Black Hat Security Conference.
Today, Peslyak continues his work as leader of the Openwall Project and Openwall, Inc. He leads a private personal life, repeatedly emphasizing in interviews that he wants people to focus on his accomplishments and contributions rather than the person behind them.
Alexander Peslyak: A Programming Pioneer
Every time you use an Android phone, a WordPress website, or a Linux computer, you’re using code written by Alexander Peslyak.
Whether he’s discovering new threats, helping people respond to old ones, or creating preventative tools for the future, few can match his level of cybersecurity expertise and insight.
And though he couldn’t have known it at the time, his chosen name of Solar Designer turned out to be incredibly accurate: he’s one of the most iconic architects of modern computing, with talent that shines as bright as the sun.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional