Interview with Fred Raynal aka pappy (Quarkslab) Hi Fred, Everything is right, pappy ? Do you hear me or do I have to speak louder ? Shit, sorry, I didn’t turn on my sonotone (bastards :) May you introduce you a little in order to our readers know you better ? Age: 43 Got my engineering degree in 1996, my PhD in 2002, created MISC Magazine, a specialized magazine on security at the end of my PhD, was editor in chief until the beginning of 2015, right after I also started a conference on security in France, SSTIC. Then I worked at EADS, Sogeti, and finally I started my own company called Quarkslab in Dec. 2011. We are now about 30 people, mainly engineers (developpers, vuln researchers, reversers, ... security related people). I am interested into security since 1996, especially what is related to code (vulnerabilities, backdoor / rootkit), OS (userland and kernel), cryptography but also a side topic, information warfare. I used to develop, look for vulnerabilities, provide patches or tools ... but I don’t have time anymore. I just get mad if I have something to code as it takes me forever compared to the people I work with. I try to compensate by being more cunning. Computing has changed a lot in 20 years from non network connected PC (or mainframe not connected more) to servers and multiples ultra connected terminals. Softwares had also changed a lot with open source present everywhere on servers and on many areas on client side (office suite, browsers). But since 5 years, mobile terminals on one side and servers in the cloud on the other side show us a loss of power of users on their data, softwares and servers. Seeing this long term evolution f computing, how do you see the evolution of the computing Security ? People see computers as cars: they want to use it, and do not care how it is working. Hence, IT crowd decided to keep the infrastructure for themselves and to provide easy ways for the users to use the application, without letting them look what is "under the hood". So people are loosing control on their systems (and the information it handles), but are gaining comfort and ease of use. My grandma really does not care about where her data are. She wants to use them whenever she wants, easily, without having to configure obscure files somewhere on her system. The attack model has totally changed, but the attackers also. Long ago (like 10+ years), the attackers tried to be famous. Now, attackers are doing their job for money. It is a job, no matter if it is legal or not. Also, attackers & defensers finally understood that the value is the information not the software. In security, we have to adapt to the usage. It will never be the other way around, unless security is enforced by Law. Security for security is useless. The purpose of security is to protect information, data. This must never be forgotten. We are currently living a quite paradoxal situation : through Edward Snowden’s revelations, many people have discovered widespread global surveillance operated by the NSA outside any democratic control and were moved by that. And this spring, we see arriving in France a law that wishes to include in the legislation a framework that can lead to widespread surveillance (black boxes) and broad-spectrum (anti terrorist framework but also anti republican etc). Is it not schizophrenic? In the US, privacy is a real concern. In France, nobody cares. People are scared, and thus are more concerned with everything improving their security, even if it costs some freedom or privacy. And if we consider the politicians, none really said anything about NSA eavesdropping them. And who makes the new security laws? Those same politicians. Their goal is to be (re)elected so they provide what will please as many people as possible. And for now, people want security, not privacy. May you enlighten the public on the current legal situation in France and Europe companies that do research / sales vulnerabilities and writing / selling exploits ? Do Quarkslab play on this ground and which approach does it adopt ? In France, the Law is quite complex and very changing. Additionnaly, I am not a lawyer. The main thing I keep in mind is that, as a security researcher, I have a legitimate ground which is required by French Law to perform some security related works. However, that is my vision. Maybe a judge might see that differently. I am not in the urge to discover that. I have always paid a great care not to cross some lines and I have a quite long career in security up to now, which let me think I have done things properly. And today, there is really no need to go into illegal actions to learn security (or hacking as some people call it). But do not forget that Law is one thing, ethic is another. Both are providing bounds, not necessarily the same ones. The recent change regarding vulnerabilities, and other offensive tools, is the Wassenaar Arrangement: It deals with export and control on dual use technologies. It means tools which can be used for defensive or offensive purposes, as an exploit. When you test you own security, to see if your defense will detect or prevent the attack, that is ok. However, if the same exploit is used to spy on whoever, it is illegal (and unethic). The Wassenaar Arrangement requires countries to regulate dual usage "cybertools". We do vulnerability research. It can be for a customer who wants to test his own program, but also for a company who wants to install an application and wonders what is its level of security. We look for vulnerabilities by ourselves also, like when we analyzed the iMessage protocol. Sometimes we report them (e.g. Samsung, Siemens, Apple), sometimes we use them during our missions. Quite often, our client does not want to deal with vulnerabilities found in the software, whether it is in 3rd party components or the assessed software itseld, as there are still a lot of software editor unable to deal properly with security bug reported to them. Let’s focus on Free Software : according to you, since the end of the 90’s, what kind of impact do you think Free Software has had on Security ecosystem ? Is it marginal, he has managed to win or is it in midstream? It has been progressing a lot since the nineties. It brought major contributions, but not as security product, even if there are some interesting security products coming from open source (GnuPG, Tor, Suricata, PaX / Grsecurity, OpenSSL...) However, most of these products are missing what makes a real difference: a complete team. Of course, amazing developpers are making these tools. But they need to "sell" the product better to get more funding, they need something like a product management team to get money and avoid unexpected situations like what happened with OpenSSL or GnuPg, to have people dealing with tests, support and so on. One thing I have learned along the years is that having the best product is not enough. And if we want open source to gain more support, it will not come to open source, open source will have to win it, gain new territories. However, I am not sure where we are heading. Microsoft is now opening everything more and more while Google is closing everything more and more. Time flies, things change. And beyond the source code availability , its use and its redistribution, has the philosophy of free software, in your opinion, influence in topics like the disclosure of vulnerabilities or Security knowledge sharing among researchers? Did this sharing attitude become the normal attitude in the field of security or is it not the case because due to secrecy requirements (NDA defense secret, business secret ...) or business model? 90% of the contracts we work on are under NDA. However, we still provide tools, feedback and hopefully useful information to the community. That is a wrong debate. Some infomation needs to be protected. What if we find a critical bug in a major server and disclose it openly? Only the bad guys will gain something of it. Security guys I know, usually, are able to differenciate what they can talk about or not. Talking generally about a technique, a tool, how it is used, is shared more or less openly depending on the people. Talking precisely about the context where the tool has been used, for what client, ..., is never discussed. And it is useless. Security engineers have a native understanding of secrecy. It helps a lot, but it means they also know what worths an information, if it is dangerous to share or not. I am not sure open source has any influence on that. It is a different world with different rules. You founded MISC, a newspaper about IT Security in France. You were also one of the founders of the SSTIC conference in 2003 which, like the LSM, is alive and well. What benefits did your find through these experiences? Are creation and maturation two major engines in your professional and personal life? I LOVE creating "things", see them grow, evolve, change. I have never considered them as mine. I always have tried to combine ideas of the people I was sharing these adventures with. Note that it is the same with my padawans. I really enjoy when I see them do things now that I am totally unable to do. And that is the same with Quarkslab. The company is 3 years old now, and we are facing a lot of challenges. We provide services like testing software of course, but we also help in designing security part of software ... and we start to provide our own products such as IRMA (http://irma.quarkslab.com). So, yes, definitely, that is what drives me. Let’s talk about Libre Software Meeting a little : we proposed you a keynote to speak about a subject of your choice about Security and Free Software. Have you find your subject or are you going to speak about cats, p0wneys and unicorns ? ;-) I am still thinking about it ... which actually means I am so swamped that I just started to gather some ideas. So I will be ready for the D Day ... at least one minute before ! Thank you very much for this interview and see you all at Beauvais on Monday July 6th 2:00 PM for the start of the LSM/RMLL Security track with Fred :-) Interview done by Fred (of course) and the RMLL SecTrack team (Mathieu Blanc, Christophe Brocas and Philippe Teuwen) through pad/email.