Sunday, December 6, 2015

David Barroso: "States will have less and less prominence"

David Barroso"Jack of all trades and a master of none".

David Barroso is one of the most intelligent hackers on the infosec community. He uses to say he spent 24 hours a day on his passion/job and we suspect ti´s true, because the many books he reads about the topic, how many people he knows on the international scene or the quality of the information he publishes on his Twitter account. In 1995 he started the university an his adventure on the infosec world. Today he is 38 years old, the best age to fund a startup, what´s exactly whats he´s doing. 

David looks handsome on his suit and he has travelled all around the world on business, but not many know he´s a real hacker, very active on the change of millennium infosec underground. He´s the author of exploits and tools like the famous Yersinia, created as a twosome with his friend Alfredo Andrés, which is nowadays the only one able to lump various layer 2 attacks. We herd Chema Alonso, Eleven Paths CEO, saying once "When I want new ideas, I ask to David Barroso".

- The first question is obvious: Why did you recently leave your job on Eleven Paths? 

- I´ve wanted to launch a company for many years, a company not only innovative on what it does, but also in how the company is from inside: I had to postpone it for many reasons, until now, when the proper time has arrived. In all the companies I´ve been I could experience at first hand the good parts, but also the bad ones on a strategic level, on the interaction with people, communication, etc, and I believe we can take all this positive things and improve the negative ones to create a company in which everybody likes to be.

In addition, I think people related with the security world are made of a special material, especially because we like breaking things and question the establishment, what helps us to try making things in a different way, with the objective o making the World better.

- The second is obvious too: the startup you are launching is the best kept secret after the identity of the Bitcoin founder. What 

- It´s not a secret, but we re really having a quite discreet profiles because we prefer confidence and confidentiality with the people and the companies we work with, although still being at a very early state. I feel strongly that in next years the way the companies and governments define their security strategy is going to change, and they´ll have certain capacities of what´s denominated "active defense" for not being constantly repealing (or not) attacks, without being able to do anything more.

I´m against the so called "hacking back" because the consequences could be fatal, but I believe that many more things could be done. Every company or government is going to be compromised, depending on the adversary they are facing, and it´s a fact. But we can make our adversaries more difficult setting traps for them making them loose their time, giving fake info, taking info from them etc. This is what I´ve gotten into :)

- You are not creating a Hacking Team for Latin governments, are you?

- Absolutely not. In fact, I´m more on the defensive side than on the offensive one, and the objective is to catch as soon as possible any operation against a government or a company, or against an user (dissident, journalist, etc.)  no mind if they use Hacking Team, GAmma Group, Raytheon or any of the personalized developments that exist (Barbar, Duqu, etc.).

- Your CV says you have been a speaker on many conferences such as BlackHat, RSA Conference, E-crime congress, APWG, FIRST, NATO, ENISA, SegurInfo, RootedCon o ICCyber. Which one do you recall with more fondness?

- Maybe when we went to talk on Yersinia´s BlackHat in 2005 with my friend Alfredo. It was our first talk outside, and additionally in English, and in BlackHat nothing less, which was the reference in this times. We took with us many switches, routers, and laptops to make a live demo. and we even showed a live VTP protocol 0day; the person in charge of the CiIsco´s  PSIRT was sitting on the first line! Another one I remember was when we found the first ZEUS version which affected mobile devices in 2011 (Symbian, BlackBerry and Android by then) what took us to tell it and work with people from all around the Wolrd. I´ve good memories of the NcN in Mallorca too, they looked great to me, or the Undercon, because of the mood.

- But, where do you come from? I met you when you were e-crime director at s21sec. How did you get there?

-  I was lucky to go to Madrid for my studies and I lived in a college staff with more than 300 people for many years. The firs year we set our network with many coaxial wires laying on the floor and the second year we installed Ethernet on the rooms, what was a great practice field for me (although there were many Linux fans from telecom at the UTM) and start with security matters, exploits (how many plays with land, winnuke, the Solaris telnet exploit, etc.). I created my first Arrakis website in 95, a hackers club which got 10 members :)

In these years I dedicated all my time to learn, to break things, being in Undernet and in the Hispano with different nicks, and to play with AIX, Solaris and Linux. I was very attracted by the forensic matters, on the operative system and the network levels, and I learnt all I could, what allowed me to enter in S21sec and learn even more from all the people there, I was very lucky for being with them. We started at  S21sec about 2004, analysing malware affecting our clients and step by step we created the e-crime Unit, which I was lucky for commanding it, and in which we were contending on a World scale with clients in many countries, helping them to fight against online fraud.

- After that, yo´ve been a boss on AT&T, Telefónica and Eleven Paths. How do you survive on these corporate environments without loosing your beautiful smile? 

- You´re not picking up with me, do you? :P Regardless where you are, you must have some values. Big companies has advantages and disadvantages, as the small ones; in both cases, if you are flexible and passionate about what you do, it´s very easy to be comfortable.

- Another one: What do you have to make them fall in love? Why do you think these giants give you the confidence for leading their teams?

- Sometimes they have told me one of my virtues is I´m very serious at the professional level and totally trust worth, and I think this is one of my best virtues, apart from being "breathing" security 24 hours a day; I like learning technical data every day, but also knowing the market, the companies, etc, and being able of sharing all those experiences with the people and the companies I work for.

- But what you really enjoy is intelligence, 
don´t you? It´s a concept only managed by military environments and secret agencies until only a few years ago.  

- You caught me :) When I started with the e-crime matters, we saw it was fundamental to gather as much info about the attacks, the attackers, etc. and to convert it into intelligence; we were doing some monthly reports about our discoveries, very similar to what was made on USA companies by these times. We like it or not, the intelligence is not the military or secret services domain any more, but is needed by companies at all levels (economic intel, competitive or in our case related to infosec). Nowadays almost every big company has intel analysts and it´s an ever increasingly demanded profile.

- Coming back to the startup: Intelligence will be your product?

- It has much to do with it, because thanks to our product we could get intelligence about your adversaries: It´s a Key info to take decisions.

-   You have the capacity of watching the scenario from a bird´s-eye point of view. What do you think when you look at infosec?

- It´s true I like to have an holistic point of view about the infosec world. In my opinion, we´re living complex times in this sense, where there is a total lack of confidence, not only between nations, but also between companies, mostly motivated for the "everything is allowed" state of things and the culture of impunity; not only among criminal cartels, but also among the states. But, meanwhile we are immersed on a transformation, where the states will play not an important role as they used to play in this sense, and the big technological corporations will take a bigger part on this game, because of our big technological dependence. In the infosec market world we´re also in a spectacular growing scenario, that could be a bubble or not, time will say.

- What dis your partner say when yo told her you were leaving a well paid job on a permanent position to fund a... startup? 

- It´s a very complicated decision, well thought and not easy to take :) Although at first they thought I was crazy, I´m lucky for counting on their support, something essential because if not, I´d never took this decision.

- What´s the secret to lead a hackers team and not die trying? 

- Giving them challenges, letting them grow and making them long life learners.

Text: Mercè Molist


Post a Comment