Monday, June 22, 2015

"We focus too much on solving problems with patches"

Fermín J. Serna, Information Security Engineer at Google.

What can we say about Zhodiac. He left anonymity in the 90s to get into a group, JJF Hackers Team, that went from others' jokes to make history. He imported to Spain the term "white hacker", an invention of the hackers beginning to set up their own security companies in the US. And he launched the first public security / hacking event in this country, No cON Name, if venerable Securmática gives permission.

Zhodiac jumped to the Premier League thanks to !Hispahack, then continued playing hard when the community was at its lowest moments, and  was there in the revival, with Sexy Pandas and Capture The Flag competitions. Zhodiac life, alias Fermin J. Serna ;) from Madrid, 36, two daughters and another on the way, engineer, technician founder of S21Sec, 4 years at Microsoft, now Google, is a microcosm of the history of the hackers as it was told at the Cybercamp event. And there are people so good that the "under" tag is small for them and, like it or not, light hits them.

What do you do at Google?

A bit of everything :)

How did you get into this?

It is the fault of the genes. Someone gave my father a Spectrum, where I learned BASIC more than 25-30 years ago. My brother, a lawyer, worked on the first Internet cafe in Spain and gave me free Internet back in 1995. Before, we had Iberpac and X25 home. I lived with technology and networks from very small. Quickly I was fascinated by how things work and how to break them.

Has anyone ever offered you a lot of money to go to the dark side?

It is a somewhat ambiguous term. I understand as "dark side" the illegal world where people take advantage of others for their own profit. I have always avoided such conversations. I'm not interested at all. It is unethical. I want my daughters to inherit a better world.

What "three essential things" would you take to a CTF?

3 0days. In a CTF everything it must be allowed not? Nothing better than hacking the score server. This happened not long ago in Defcon. :)

Do you know that your blog is stopped in September 2014?

Yes, and it is intentional. I only post things that I consider relevant and developed by me. Due to certain new laws, I do not know if it's all legal publishing exploits, techniques, etc ... in a blog. Remember that I live in America and my blog is on a server god knows where.

Your profile at twitter says just "exploiter". Sorry?

Within security, the exploitation of software vulnerabilities is the field that I love. In my opinion, it is one of the most complicated and full of challenges currently fields. The challenges and hard work to solve them are things that motivate me. I have specialized in this field without neglecting the others... and has done not badly.

How did you explain to your mother that you were a hacker?

It did not happen. When you see your child staying home on Friday night with the computer... Fortunately, my mother was an "early adopter" and had a computer and Internet since 2000. Google was her friend to find my trail online.


Someone who knows so much of cybersecurity, what is afraid of on the Internet?

I live with precautions on the Internet, but I can not ignore that if "someone" wants to compromise my systems, he would end up doing. I can only put obstacles, to make that "someone" comes from the smaller group possible, and to make the price so high to wonder if the reward is sufficient. The weakest link is always the human factor.

Conceptually, what we are wrong in defending the network?

In my opinion, we focus too much on the problem and on putting a patch. This, in large measure, is very influenced by security companies and their profits. Instead, we should be focused on solving user problems.

Would not it be more profitable in the long term for the customer solve the issue of malware with visionary and creative solutions? Would not it be more profitable in the long term for the customer to invest in web frameworks where it is not possible SQL injection, XSS, CSRF, etc? Or is it better to have an audit for each iteration of development? Would not it be more profitable in the long term for the customer to invest in types of not exploitable vulnerabilities instead of constantly patching failures?

Does any sentence (not in your passwords), guide your steps?

"Work hard, be humble, be good people, right, and the reward will come by itself"


Texto: Mercè Molist

0 comments:

Post a Comment