What's Next? I've done a lot already...

I'm now looking for a new job, you can find my CV on most dedicated sites.
So what's next? Looking back, I've done a lot of things so far. In an approximative chronological order:

• Cattle dealer (sheep)
• Math teacher
• Sheep grower
• Assembly and reverse-engineering teacher
• Cybercafé technician
• Chemist
• Secondhand bookseller
• Snack manager
• Blue-collar factory worker
• IT association leader
• Web developer and administrator
• Military HCI developer
• English teacher
• CISO for two companies
• Company cofounder

More transversal:

• Driven 1500km a week for two years: check
• Being a good boyfriend: check
• Worked in a 3-language environment: check
• Bringing directors together to discuss IT security: check
• Worked abroad: check
• Held relations with public and private interest groups: check
• Managing wide and complex projects: check
• Self-learning technologies from scratch: check
• Motivating a team: check
• Decision making and responsibility bearing: check...

Note for Myself: List of Security Certifications and Related

By (ISC)²:

• SSCP - Systems Security Certified Practitioner
• CAP - Certified Authorization Professional
• CSSLP - Certified Secure Software Lifecycle Professional
• CISSP - Certified Information Systems Security Professional

By ISACA:

• CISM - Certified Information Security Manager
• CISA - Certified Information Systems Auditor
• CGEIT - Certified in the Governance of Enterprise IT
• CRISC - Certified in Risk and Information Systems Control

By Cisco:

• CCNP - Cisco Certified Network Professional
• CCNA - Cisco Certified Network Associate

By Microsoft:

• MCSE - Microsoft Certified Systems Engineer

 By British Office of Trade:

• ITIL Foundation, Intermediate, Expert and Master

Time passes so fast

First time I worked as CISO: almost 5 years ago,
first time I was paid by a company just to do IT: 8 years ago,
first time I owned a PC on my own: 12 years ago,
first time I wrote a full-featured game, on a TI calculator: 13 years ago,
first time I gave a lesson on IT matters: 13 years ago,
first time I used Linux as my main OS for home: 13 years ago,
first time I reverse-engineered a piece of software: 14 years ago,
first time I used the Internet, wrote a website (and learnt English): 15 years ago,
first time I used Linux : 15 years ago,
first time I used a PC : 18 years ago,
first time I wrote code, on a CASIO calculator : 20 years ago.

My best posts on the web so far

On this blog, according to Google web stats:
1. Fun Fact: Wrong Sense of Rotation for Deming's PDCA Wheel, maybe just because people are looking for info about PDCA.
2. Back on the technology SPOF: practical case, I think I'll write a bit more about this.
3. Fun fact: Facebook Bug in Handling Who Accesses Photos, whenever you speak about Facebook, people are just interested ;-)
4. Companies beware of SSL decryption in your proxy! a very important matter that should be more spoken about.
5. Why Windows 7 will not crush Linux, just a troll.


[FR] On Linuxfr.org, according to users' marks:
1. Commission Européenne - Rendre les développeurs juridiquement responsables de leurs développements ?
2. [HADOPI] Lettre ouverte à Jean-Marie Cavada
3. MS Office 2007 SP2 supporte l'ODF 1.1


[FR] On the French wikipedia, personal sorting:
LabView, the virtual instrumenting software.
Radioss, mechanics software.
Yukar, Ainu sagas.
JavaOne, yearly conference about Java.
Unicum, a Hungarian bitter liquor, delicious.
Cuba, movie with Sean Connery.

Others:
[FR] A very old CV that I should update !
Also my LinkedIn and Viadeo profiles.

Mes nombreux homonymes

Je porte un nom peu courant mais pas rarissime. Il paraît logique que j'ai des homonymes. Ce qui est drôle, c'est qu'avec l'Internet, chacun fait sa pub et que l'on peut vite découvrir ses homonymes :-)

Démarche : commencer par les grands sites, pour découvrir les pages propres à certains homonymes qui publieraient sur le net, puis finir par les moteurs de recherche, pour voir s'il n'y en auraient pas quelques autres.

1/ Facebook : j'ai 9 homonymes, dont un qui a une page de fans, un pianiste.
2/ Myspace : on retrouve notre pianiste.
3/ Tumblr : personne.
4/ Youtube : on retrouve notre pianiste : Adele, Someone Like You.
5/ DailyMotion : le même contenu.
6/ LinkedIn : deux nouveaux, aux CV intéressants.
7/ Copainsdavant : trois nouveaux.
8/ Wikipédia : un Christophe Pradier était animateur d'une radio lyonnaise.
9/ Amazon : surtout notre pianiste, mais aussi une petite dose d'humour :
Voulez-vous dire Christophe l'Irradié ?


Passons aux résultats des moteurs de recherche :
1- Le site de notre pianiste
2- Les pages blanches
3- Ah ! Dirigeant de société.com, ça sonne bien : un homonyme serait président de MEDIA PERFECT. (rien à voir avec mon Lux Media)
4- Un autre, ou le même, dirigeant de PRADIER père et fils
5- Un élu d'Evry ?
6- Un qui bosse pour Europa, le site web officiel de l'Union Européenne.
7- Un arbitre de handball !
8- Un plâtrier.
9- Quelqu'un qui travaille pour Orgaco, société qui livre de la papeterie et bureautique pour l'éducation nationale.

J'ai aussi souvenir d'avoir vu un Pradier travailler en cryptographie à la fac de Limoges, je crois même qu'il avait publié un livre sur le sujet. Sauf si c'était moi et que j'ai fait ça dans mon sommeil...

From now on: multiple languages on this blog

Due to some demand from followers, I've decided to now post articles in whichever language I see fit, not only English.
This should lead to a majority of English and French, though I may post articles or comments in German or Romanian.

Added Metasploit to my Free Software Stack

I've been working a lot with Metasploit lately, so I decided to add it to the "Free Software Stack" on the right of this site. It's always a pleasure to see Metasploit work :-)

Been doing some reverse engineering

I've been reversing a Win32 PE executable lately, something I haven't been doing since I was 15. I found it quite easy. Much easier, indeed, than a few years ago. What's changed since then?

• The tools have changed. At the time, I used to master WinDASM and SoftICE, which are no more fashionable. It even seems that WinDASM has disappeared from the market. This time, I used HeavenTools' PE Explorer, which is a clear improvement on the latter.
• The PE format has not changed. Or, at least, nothing that matters in debugging.
• Windows is more stable than at the time, saving you many reboots ^^
• The compilers have not changed much. It seems that I could learn to recognize compilation styles of various compilers in very little time.
• Most of all, I've not changed. I can now remember very precisely why I quit reverse engineering software back then: because I prefer working with the source code and I prefer working in design or implementation modes rather than in debugging mode. I can now remember that I quit reverse engineering software approximately the same time as I started using GNU/Linux on my desktop.
  

I can clearly validate this view years later: though I'm happy to be able to reverse a binary, I think programming is more rewarding.

Altering the philosophy of this blog

I have long felt that responsibility in information security was a hard management job.
I have always known, through personal temper, that leadership is an asset in every management position.

Yet it never appeared to me until a few semesters ago how much responsibility in information security was a job that required, most of all, leadership skills. For this reason, I have chosen to more regularly publish articles on this site about the leadership of information security, including good readings about it, even uncommented.

Among the reasons that conspired to enhance my point of view, here are a few:

• Working as responsible in this field for more than two years now.
• Realizing that the job is a drop about team management, a bucket about upwards management and an ocean about transversal and stakeholders' management.
• Realizing that security is a lot about conceptions and misconceptions, and that vendors are better at it than internal managers of any company. And that reacting to this situation takes a lot of communication towards the teams.
• Having Anton Chuvakin summarize one of my articles by naming my job "expert in security leadership", which made me think a lot.
• Reading books like "Geekonomics", by David Rice or "The CISO function [FR]", by Bernard Foray.
• Seeing that everyone is capable of designing a highly sophisticated security framework in his head, but less often implement it.
• Reading a lot of blog articles from security experts, and writing a few, complaining about people's behaviour and misconceptions and calling for help, for people to change.
  

In the end, I have decided that the best is to help myself, rather than wait for others to change or wait for "top management" to give full powers. Heaven helps those who help themselves, as is said on both sides of the English Channel.
So now comes the time when I emphasize on leadership.

Comments, praises and amazements welcome.

Official proofreader appointed ;-)

Friday liberty blogging - I'm French and that's something

It might be an unknown fact to my non-French readers, the French government is currently flooding the media with questions about the French identity. What is it to be French?

They also use the fuss to cover up their shameless unprincipled immigration practices, but that won't be the subject of the present bill.

The subject is the French identity, I would like to elaborate about it, because I'm one of the lucky ones down here who have spare time and spare thoughts to ask such questions and try to answer them. When my friend Thierry Kakouridis wrote an article about the matter (FR), I thought I had to reply to it.

France is a melting-pot of people with various views and cultural heritage. It is not one. For instance, several values are deeply written in the culture of my natal region that are not always shared in other places in France:

• Anti-clericalism: People can believe whatever they want as long as it does not encroach upon my life and my political freedom. If it does, they, not I, have to withdraw.
  
• Ability to live on one's own: You will be well-considered if you don't require help. You'll still be welcome if you do require help, but you won't be thought of so highly.
  
• Giving one's word: Something said is just as good as something signed in black and white on paper.

And I did inherit these values from my living there for twenty years. Yet, as I said, these are not prominent values everywhere in France. So which should be the values of the French? First of all, I think there is the freedom of ideas. Foreigners are often surprised at the way the French take the liberty to interpret non-negotiable things. Whether it be the law, the religion or the management theories, the French often only take what they want from it. And if you ask them why, they always have a good (yeah, or bad) explanation for it.

This is one the basic freedoms that people from occidental democratic countries enjoy. And that's a freedom that can only be removed from you if you don't use it enough.

For this freedom to be within reach of a humble citizen, it requires:

• A culture that values culture above wealth,
• A culture that values thinking above believing,
• And the associated society that preserves and enriches this culture.

I think other freedoms are less important to the French. We cannot be French without allowing ourselves to think freely about things of interest.

We also use to have equality and fraternity in our national motto. This to me relates to two other main components of the French conscience:

• The hatred of ubris. Not all the French believe in a God up-there but all the French agree that there is no God down-here. The excess of pride that leads to think of oneself as a God and to behave as such is un-French. It is considered a disease that can affect both individuals and nations.
  For instance, the French renounced the death penalty. We mostly consider that a nation has no divine right to claim lives.
  This it, to my mind, the meaning of the equality word in out motto: none of us is a God.
  
• The meritocracy. While we enjoy the equality of people in rights and dignity, we clearly know that we are different and of different skills. And none of us can pretend to be good at everything. Yet, we believe in the need to live and work together. And this means that we have to know and reward the merits of each. And this goes, not through money but through respect and consideration from others.
  This is precisely why the French are outraged at the idea of a film maker being treated as a usual burglar, or at the idea of their previous president being thrown in prison.
  Sure, the law is equal for all, but in conjunction with the fact that all the French choose by themselves which laws to apply and which not, meritocracy is commonplace in France. You get "powers" from being known for your past achievements. In exchange for these powers, you have to continue to serve well the nation. We know that we are not working against each other, rather for each other.
  That is, to my mind, the meaning of the fraternity word in our motto.
  

To answer Thierry's underlying questions:

• Yes, one is first of all what he/she wants to be. And most of the French want to be French rather than regional or European or other. And that's precisely why there is such a fuss about national identity right now: the French do feel that their identity is at risk. (To my mind that's more because of the current government than because of the immigrants. And some people are thinking the wrong way, because of fear or ignorance. That part is indeed a French failure.)
• There could be some confusion about Theodore Roosevelt's words. It could be misinterpreted as a call for "cultural purity". It's not. It's a call for everyone to adhere fully to the identity. And as such, the American president's words match my feeling about the French integration style. You can be more than French, but you cannot be half-French.
  There is no room for hyphenated Frenchism, reduced Frenchism, but there is plenty of room for people to bring in additional cultures from whatever source nationality.
  

SEO game - Jeu référencement SEO

This article relates to a website only available in French. If you can't read French, sorry this time, I will not translate the many pages into English. All that follows herebelow is in French.

Un jeu en français sur le référencement (l'optimisation de la position d'un site dans les résultats de recherche d'un moteur de recherche, typiquement Google) vient de commencer à l'adresse www.jeu-referencement.com. Il s'agit de 15 petites épreuves à franchir, chacune utilisant une technique liée au référencement. Je ne vous donnerai que deux indices :

• Si vous tombez sur une erreur 404, c'est que vous devez continuer à chercher, pas abandonner.
• L'épreuve 14 bugge avec certaines configurations logicielles, n'hésitez donc pas à la forcer de toutes les manières possibles, c'est le résultat qui compte.

Il m'a fallu à peu près une journée pour terminer les 15 épreuves (pas 24h de suite collé contre l'écran ! juste quelques heures en fait). Et je suis assez content, j'ai appris quelques trucs que je ne connaissais pas.

Tribute to Fravia

I learnt yesterday that Fravia has died. He was a talented hacker and a jack-of-all-trades in IT, almost a master-of-all-trades I should say. He administered a site referencing a lot of resources for people to learn about computers, software and information systems. There you could find learning material from the beginner's tutorial to the master's last discovery.

I learnt a lot thanks to Fravia. I was studying on resources from his site when I first disassembled a binary piece of software to shift its behaviour, almost thirteen years ago. I found my way through WinDASM or SoftICE by following tutorials from his site.

I owe Fravia a lot and, though I never met him in person, I will not forget him. His site is still up, alas I can only hope for it to be continued, there is no certainty.

Articles about Geekonomics to come

Following the return of my copy of Geekonomics: The Real Cost of Insecure Software, by David Rice, I am in the process of writing a few articles about the ideas from the book.

Go read the book if you're interested in understanding the phenomena around and beneath software insecurity and bad quality.

Since I do not want to plunder the author's content by making a detailed summary or quoting the most interesting excerpts, I am selecting a few subjects and trying to explore them a little further than the book. Which will be very hard since I do not have all the investigation sources that Rice may have had, nor patience, skills and experience. For short: I will give some opinions from my understanding of matters in or around the book.

Friday liberty blogging - Assaults on the neutrality of the network

The Internet as we know it: a place almost free of control, with sites rewarded by audience proportional to their qualities, with a good anonymity protecting political dissidents, this place is under high fire from governments and ISPs.
While we might have thought this kind of attacks would come from very liberty killing countries such as China or Iran, they are now in the headlines even in most liberal countries such as France or Germany. To give just a few examples:

• In France, giving as a pretext the fight against illegal downloaders of music and movies, the government is trying to install spywares on all citizens' computers.
• In Germany, giving as a pretext the fight against child pornography, the government gets a law voted for a censorship policy, and stars building an architecture able to filtrate the web's content.
• In England, judges rule that there should be no anonymity for authors of texts made public on the Internet.
• In England, an ISP starts using bandwidth modulation to discriminate against sites helping its competitors' businesses.
  

As far as I know, most of my readers are probably aware of some of these problems. So, instead of commenting on each of these assaults separately, I decided that from now on I would keep a list up-to-date gathering all articles that I would read about this matter. Most should be in English, yet there could be articles in any of the languages I can speak (French, German, Romanian and variants).
The web page of the list is at this address.
You can also find an RSS feed at that address.

Friday liberty blogging - Time for European Civil Society

By reading the news these days, I can't stop asking myself "Why don't they discuss those questions at a more European level?"

Problems of unemployment could be discussed better at a bigger scale. Problems of milk price should be discussed on multiple countries that produce milk. Problems of European universities versus giant universities from China or the US should be discussed among a council of university managers...

Indeed, Europe has working institutions, working agencies, awfully efficient lobbies, working-so-far agricultural policies... but we don't have a working civil society.

You could count famous European-wide NGOs, labour unions, newspapers, political forums... on the fingers of one hand! Few exist and most are unknown to Europeans.

OK, there are some problems to solve: languages, different definitions of words (like the English "liberal" very different from the French "libéral")... but I think those problems can be solved. I think the real problem is the hidden agenda of people with national interests and no transnational interests.

For this reason, I think it would be wise to encourage initiatives like "transnational regions", administrative regions that spread on two or more countries, for instance a region that includes parts of France and Spain, across the Pyrénées. The possibility to have a quantity of political power on transnational scale will help a new civil society emerge.

It's time for a European Civil Society!

Articles about Geekonomics - delay

I told to some of my readers that I would write a series of articles on Geekonomics: The Real Cost of Insecure Software, by David Rice. This excellent book attacks the macroscopic questions of why software is so insecure and how to secure it.

I have lent this book and will be late (gosh, I am already late), till I get it back.

Friday liberty blogging - "Bush frightens terrorists"

I read again yesterday that same comment on GW Bush and his impact on terrorists. "What you don't seem to understand, you f@¤#! Europeans, it's that Bush frightens terrorists, he scares them to death!"

I have never quite understood the train of thoughts that might lead to that. Let alone the idea that scaring people to death is probably what makes terrorists, let's concentrate on the evidence:

There has been only one major terrorist attack on the US (of foreign origin) in the whole history of the nation. And it happened during the Bush administration!
- I will not deduce that Bush failed because of this. No, it's just a sample value. It falls short of making a statistic.
- But no one can deduce that Bush did great work. He did the worst work of all Presidents of the US, as he was the only one to get a terrorist attack.

Finally, let me add this little thing. Killing someone is the easiest thing on Earth. Anyone can go in the street and kill people. Any day in your office, you can decide to kill a colleague and do it. So one cannot stop people from going mad. So if you vote for a President because of his words on stopping terrorism, you're just encouraging more lies.

Friday liberty blogging - Welcome back, America !

Need to celebrate a little on the election of Barack Obama.
After eight years of GW Bush, the republicans had become to the eyes of the world the party of warmongers, liars, religious extremists, creationists, gun nuts... The Americans have sent the message that they didn't want anymore of this, that this was not the Republican party at all.

Welcome back, America !

I am sorry for John McCain and Sarah Palin, who were valid candidates. I am also sorry for the Republican party, which stands for good values, very important to the strength and vitality of the US. But that's the result of eight years of GW Bush.

Good luck to president-elect Barack Obama, who will have to deal with big tasks, even more now that all the world is looking at him for a sign of hope. Welcome back, America !