Friday, October 16, 2015

Alfonso Muñoz: "I investigate the hiding of executable code"

Alfonso Muñoz, second in command of CriptoRed.

Most of our readers possibly don't imagine a cryptographer like Alfonso Muñoz: handsome, 34, without glasses or suit, more hacker than nerd, works as "senior security consultant" in IOActive, a top world company in cybersecurity. "I was born and I live in Madrid, I'm familiar and quite homemade, I don't need too much to live. My physical integrity is defended by my dog, a "fierce" yorkshire able to crush any spy who tries to enter my house ;)" Only his nick, @mindcrypt, just reveals there's something "strange" in him.    

Alfonso entered in 1999 in the Polytechnic University of Madrid for the degree in Technical Engineering in Telecommunications. "I wanted to study something fast to earn a living. My family is the classic working class family who moved to Madrid looking for a better future". But he started to achieve the highest marks, enjoying it a lot, so he finished another career, Telecommunications, and afterwards the doctorate, and after a postdoc, entering many projects and even working as a teacher. But Alfonso is an uncut diamond and the walls of University become small to him. Here's him, just lifting his flight up.


-You've just arrived at IOActive and you're already publishing a "paper" about steganography

- My current efforts are focused on the hiding, through steganography, of executable code which can be auto executable, what nowadays is possible with some restrictions. Although I have researchs going on...

- A boy like you working in criptography...

- It is one of many issues from computer security that I'm passionate. Maybe I was caught by this romantic idea that a human being with a pencil and paper could develop an algorithm that no other human being was capable to infringe. In short, the poetry of mathematics.

- You are a developer of a lot of tools to generate "estegotexts", what is it?

- Hiding information in natural language texts. There are several ways to transmit it, for example you can read a stegotext by phone. I have focused my interest in hiding texts in Spanish, modifying existing texts or automatically generating them.

I am particularly proud of Stelin: from training texts, it is able to imitate their language and produce new texts where I can hide information, depending on the chosen words. Furthermore, an issuer may make manual improvements to the text, without the receiver needing to know those improvements to retrieve the hidden information. With practice and time you can produce fully human and very difficult to detect texts.

- After 15 years in university, why are you leaving it?

- I love the "public" university and its ability to change society. My main reason is the lack of real options with a minimum of stability in the medium term. On the other hand, to achieve a place in a public university, which is a shame, often does not only depends on your ability or results. As in the private sector, there is much corporatism, elitism and smoke. Too much smoke.

- Your name is very attached to Professor Jorge Ramió...

- We met nine years ago, through my thesis advisor, Justo Carracedo. It was a matter of time to realize that the Criptored thematic network that Jorge created in 1999 for an enclosed area (university research), should be opened and transformed for the professional sector and then to the general public.

- Could you describe Criptored with numbers?

- It is not easy. We deeply hate that people have to register to "consume" information, so all we know is the thousands of users who voluntarily subscribe to the mailing list, Twitter or Linkedin, and the traffic of the website: several millions of accesses and downloads (800 GB of documents downloaded this year), 1,208,833 views on YouTube, more than half a million visits in the MOOC Crypt4you (the first Spanish MOOC on computer security).

Criptored has three parts: it joins professionals in computer security, exchanging information, events, news. It creates projects of free massive training in computer security in Sspanish (Intypedia Project crypt4you, Thoth, DISI, TASSI). And finally, it gives training and specialized consulting and private projects. One of the things that I'm proud of is Latam people without resources who write us and tell us that the information we publish helps them to open a labor future.

- You are lately posting criptochallenges on Criptored.

- I would like to do more of what I do, but I need to sleep, even a little :) Additionally I have made about 40 minichallenges, less complex, for INCIBE's Cybercamp. I am in the process of seeking sponsors for prize-money awards, so maybe more people are encouraged.

- My impression is that 10-15 years ago, there were more love for cryptography.

- It is possible. Cryptography has become a "commodity" like water or electricity. It is a mature science and there are many tools to try to ensure the privacy of our data and communications. There are probably more people interested in developing tools for communications concealment (data leakage, systems remote control, perimeter security evasion). Or maybe pentesting or reversing are much more interesting .

- After the Snowden's revelations, I would have expected an increase in the use of cryptography in private communications...

- It's a losing battle. The main problem of cryptography is that people do not use it. We must simplify it as much as possible and make it as transparent as possible to the user.

- If the police can not decrypt quantum cryptography, will it boost your research?

You really like conspiracy!! As if the police has nothing better to do :) Now that nobody reads us I'll be frank, at the risk of being wrong. Quantum cryptography, without considering specific attacks to devices or protocols that implement it, has many disadvantages, traditionally the need for dedicated links and the difficulty of long-distance communication. I doubt that its use will be widespread. It should not be forgotten that this type of cryptography is only distributing a cryptographic key, then this should be used with another algorithm where problems can arise. I see much more reasonable the widespread use of post-quantum algorithms (https://en.wikipedia.org/wiki/Post-quantum_cryptography), and in this case the police or whoever will meet the same problems that nowadays exist when trying to decrypt communication with RSA or AES: attacking the key or "stealing" it :)

- Finally, any sentence guiding your steps?

- It is an adaptation from Charles Chaplin's quote: life is a play that does not allow trials, so sing, laugh, dance... before the curtain is down and the function ends without applause.

Text: Mercè Molist

0 comments:

Post a Comment