Interview of Ninon Eyrolles ("Obfuscation, know your ennemy") RMLL : Hello Ninon, first of all thank you for coming to the LSM/RMLL with a presentation about obfuscating . Could you introduce yourself in a few words ? Ninon Eyrolles : I finished my studies at Bordeaux with a Master in Cryptology and Computer Security last year, and since then I’m working at Quarkslab. Currently I’m starting a thesis about obfuscation in partnership with the University of Versailles. RMLL : Could you tell us what convinced you to work in the computer security domain? Is it a passion since childhood or a later discovery? Are the mathematical aspects of your curriculum (Master in crypto) of major importance in your orientation or was it computer science that guided your choices along your high school studies ? N.E. : At first, I wanted to study mathematics. During my studies I realized that the aspects I was interested in were those in relation with crypto, so I pursued in that direction. At that point I got a first insight in computer security, and I found it really interesting. What I appreciate in computer security is the variety of possible competences. There are for all tastes: we can mix theory and practice, maths and computing... There are always things to learn, and that’s what I liked. RMLL : You’re working since last year at Quarkslab. Being at early stage of your career, what were your criteria for choosing your first experience (large corporation, small structure, research, operational...) ? N.E. : When I searched for an internship, I did not really have any other criterion else than finding an interesting topic. What was interesting in Quarkslab is that the desired profile was rather mathematical, and the internship subject quite ambitious. So I could learn a lot about computer security while putting my education to good use. In addition, Quarkslab seemed to offer a good first experience with its status of quite young company, and thus evolving. RMLL : What are your main areas of interest in computer security? What are the subjects you’d like to tackle over the next 5 years ? N.E. : So far I have mainly visited two areas: binary comparison during my internship, and now obfuscation with my thesis. Obfuscation is a truly fascinating subject, there are many diverse aspects (and sometimes deeply mathematical ;) ) and this is an area where demand is growing. It includes also the attack / defense aspect inherent in computer security, which allows to study in parallel techniques of reversing and program analysis. With just these two aspects, you can be busy for quite a long time with obfuscation. In a more or less far future, I’d like to take time also to learn a bit more the practical aspects of crypto, since in my studies I’ve seen a lot of theory but not much in practice ... RMLL : About Free Software, what are the free tools you’re using most ? Your favorite OS? Have you some projects to which you contribute regularly ? N.E. : My preferred OS is GNU/Linux, and obviously I’m using quite a lot of free software daily: firefox, thunderbird, emacs, vlc... And of course Python, as I’ll talk about it at RMLL ! On the other side, not being a developer at heart, I’m not involved in any project for the time being ; but I like the idea. RMLL : Have you an opinion on the security of Free Software vs proprietary software? On the importance to have free tools to do security ? N.E. : I think we are dealing with two very different approaches when looking for vulnerabilities. With free software, we’re going over source code analysis: so security is based on the fact that some people are reading and auditing the source code. The problem that arises is that we sometimes assume that Free Software is secure because someone has necessarily read the code. But this is not always true (we had enough examples recently ...) and you must always ask the question of who could have read the software code you’re using. About proprietary software, the approach is obviously completely different: we must somehow "trust" the authors of the software about its security. The good side is that it’s a bit the rationale behind reverse engineering :) RMLL : Security, as computing in general, is still a quite masculine domain. Do you think it is a way forward for young women who are hesitating to follow this curriculum? What can you say to convince them (or not!) to get into it? Does a program like the OPW ( https://wiki.gnome.org/OutreachProgramForWomen ) and see also the feedback of Sarah Sharp (present at 2010 RMLL / LSM) as a mentor: ( http://sarah.thesharps.us/2013/05/23/%EF%BB%BF%EF%BB%BFopw-update/ ), looks like a good idea to you to allow a greater involvement of women in the development of open source projects or not at all ? N.E. : It is clear that computer security is a way forward, I do not see why women would not have a role to play. A predominantly male environment is not a limiting factor; personally I do not have any problem in everyday life. Besides, it’s fun that we never ask men what they think of the question ;) In terms of initiatives to encourage the involvement of women in computing, I think the intentions are praiseworthy, but the problem is much more upstream. RMLL : One last point : what do you expect from your presentation at RMLL and generally speaking from your coming at RMLL ? N. E. : I hope that my presentation will generate ideas and comments, it is always interesting to have new perspectives on a topic. In general, I hope to have interesting discussions and learn a lot of things! RMLL : Thank you a lot Ninon and see you Tuesday 8th of July at 14h Interview done by email in June 2014 by Christophe Brocas, co Securty track chairman. Translated by Philippe Teuwen, co Securty track chairman, and Ninon Eyrolles.