Interview : Xavier Mertens aka @xme

Hello Xavier

Could you introduce yourself so readers know you a little bit better?

Hello to everyone! Passionate about computer security, I am fortunate to have been able to make it my job. I even took the plunge a little while ago to become freelance. I’m working on security projects both offensive (pentest) and defensive (log management, vulnerability management, etc). And as this passion is very (too much - my wife would say ;-) invasive, I’m bust with many projects and activities always in the same field. I have my blog for years (rootshell.be), I try to participate in a lot of conferences.

You are what is called a Security professional but you are also involved in the life of the security community (BruCon organization, tools publication, participation in challenges and conferences ...). Do you consider these two aspects as complementary and necessary? Or could you live without the community part?

Absolutely, they are complementary and necessary! As explained above, it is difficult to make a clear separation between these activities but it is also very beneficial. I think the area of security requires a continuous upgrading. It is very difficult for your employer or customer to allow you to spend a lot of time to maintain your skills. It is therefore necessary to be able to learn by yourself, to invest your free time in order to discover new things. In addition, building a social network is super important. A question? A doubt? One can easily find an acquaintance who has already encountered the problem or who has the necessary competence at the right time. And it works both ways, many of my scripts and tools, developed in my free time, are also used in a professional setting.

You who is a conference organizer (Security conference BruCon), what are the challenges that must be addressed each year to make it a success? What motivates you to go "into battle" every year to rebuild a new edition?

BruCON is, as a majority of conferences, organized by volunteers. We have assumed that everyone did not have the resources to easily travel in order to attend conferences. So the goal was to bring renowned speakers in Belgium! The challenges are many: First from a content point of view, visitors always ask for more year after year. So one must provide an increasingly interesting agenda that "sticks" to the news (not easy when preparing months in advance!) in order to satisfy everyone. From a practical point of view, we try to organize an event on a human scale (max 500 people) to facilitate exchanges at all levels. If presentations are important, a lot of people come for the "networking" and chat over a drink. In the organization, I am responsible for the technical aspects: mail, websites, recordings and, during the conference, the network that is deployed in very short time! This is a good exercise to build a secure network, be able to detect and/or block attacks, and more fun things such as the "wall of sheep". This is an application that can detect dangerous user behaviors - such as using unencrypted protocols (POP3, FTP, IMAP) - and make them visible to all visitors of the conference. While this may seem very intrusive, it’s above all an educational tool. This year is already the seventh edition, with always the same motivation!

Have you always been attracted by Security or have you spent part of your life in different spheres such as computer networking, sysadmin or development?

I often compare IT to medicine. You begin with a general education and then go for a specialty! When I was in school (it goes already back a few years), there was no talk about security. No way to follow a course in this field. So I made "classic" studies in IT. I did a bit of everything: development, support, system and network administration. Subsequently I got more interested into security aspects, which I never abandoned ;-)

Which sectors of Security attract you most, and conversely, those that you like least: reverse, pentests, crypto, building defensive infrastructures etc?

I’m not comfortable with the assembly so we can immediately eliminate reverse-engineering ;-) I do a lot of pentests and audits. This then helps to mount well-secured infrastructures. One of my principles is: "To fight your enemy, you must know it."

What Security topics would you like to work on in the coming years? Why?

The one-million-dollars question :-) I think that security will be on the front of the stage for a while but the scenery will change completely. This will not be anymore a matter of "geek" but everyone will have to go there. I think technical aspects remain important to me, I don’t really want to wear a tie, I prefer shirts ;-)

How much space take Free Software in your daily practice as Security professional? What are their strengths and weaknesses?

To do my daily job, I classify the Free Software into two categories:

    Mature software with a full documentation and a "community support" (via ML, IRC, forums)
    Some pieces of code that have a very specific function (e.g. to exploit a well known flaw in a software)

Their strength? You can change them the way you want to add THE functionality you want (e.g. a few years back, I added GeoIP support in OSSEC). Their weaknesses? A lot of people still believe today that "Free Software == software for free". This, alas, is totally false! It requires also patches, maintenance, hardware etc. Sometimes we can observe a lack of transparency in the overall project, I think particularly of OpenSSL that is used in the vast majority of products (both commercial and free) and suffered huge vulnerabilities! (Tough love ;-) )

Your presentation at LSM talks about the security of home networks in the era of connected TV and IoT (Internet of Things). Do you think the service and hardware providers would dare to retrieve and exfiltrate data without the knowledge of the users, from within our own home networks? If this is the case, what are your trails to fight against these uses?

This has already been shown! A good example is the Samsung SmartTV which exfiltrated user private data! The big problem is that more and more "gadgets" are now embedded computers (with an OS, network connectivity, input-output). Joe Sixpack does not see them as a threat because they look nothing like a good old desktop! I remember my children telling me about a server a few years ago: "But it is not a computer, there is no keyboard !?". I think it is easy to control your devices but we need also a little more transparency from the manufacturers. As it will not be easy to avoid all of these devices, it is time to apply the same precautionary principles as on corporate networks: control and education are two keywords!

Thank you for this interview and see you all Tuesday, July 7, 2015 in Beauvais to attend your presentation at LSM!

With pleasure, see you in Beauvais!