Veritasium, une chaine Youtube à découvrir

veritasiumMême si vous n’aimez pas les sciences, ou que vous ne vous sentez pas l’âme d’un découvreur ou d’un savant, il est fort probable que les phénomènes de la nature et de la physique vous intriguent parfois, mais que vous n’avez pas voulu vous lancer dans une étude complète de Wikipedia.

La grande difficulté est de trouver quelqu’un qui  puisse expliquer en des termes simples, de manière ludique, et sans formules. Complètement par hasard, je suis tombé avant-hier soir sur la chaîne Youtube « Veritasium », animée par Derek Muller, et ai déjà consacré deux soirées à visionner ces excellentes vidéos.

Continue Reading »

1 Comment »

Bruno Kerouanton on octobre 29th 2014 in Culture

CISOs, are corporate Policies obsolete? And are you already dead?


I’ve always wondered about this dilemna :
Even if, as a CISO, you define the best Infosec policy ever, and forbid your users all use of Cloud or unknown services such as Gmail, Dropbox, LogMeIn, TeamViewer to prevent Data Leakage, is that really efficient ?

Your company is not in a closed environment. Or it is already in bankrupcy, because you don’t have clients and contractors.

Continue Reading »


Bruno Kerouanton on octobre 9th 2014 in IT Security

Joyeux anniversaire, mon blog !


(non, ce n’est pas un billet autour de Windows 10, promis!)

Déjà 10 ans que mon blog existe ! J’ai posté mon premier billet en septembre 2004. Que le temps passe, et que de choses sont arrivées depuis !

En fait, cela fait plus longtemps encore que j’anime mon site Internet, J’avais même commencé au siècle dernier ! Pour en garder une trace et quelques souvenirs amusants de ce qui me faisait marcher à cette époque, j’ai pieusement archivé deux versions successives de mes premiers sites web, qui, je l’admets, ne sont plus très au goût du jour (et surtout, ne rigolez pas, soyez sympa !)

Continue Reading »


Bruno Kerouanton on octobre 1st 2014 in Blog's life

Server maintenance

140915-varnishAs you probably know, I’m hosting most of my websites on Gandi SimpleHosting PAAS service. Unfortunately, the instance regularly crashes, and after opening a support ticket at Gandi’s helpdesk, I was told that the issue seems to be related to some Php code on my side, somewhere on the instance. That just means I’ll need to spend some time to investigate the issue, which can be caused for many reasons, as I’ve got many websites & domains on my instance.

I’ve rented a second virtual instance to make some tests and debugging of my sites, and that also means I’m gonna make some of my sites, including this one, disappear from time to time. This is a temporary status, and I hope to find and solve the issue. Meanwhile you can still reach me by email, and read or interact using Twitter and LinkedIn.


(Edit Sept30) : Finally found the issue ! it was due to some faulty PHP plugins in WordPress. Took me long time to fix as there were interferences between them, and the instance was rebooting at each attempt to fix. Anyway, that’s now solved !

Conclusion : Beware of any plugins… they can be evil, they can be faulty. But you already know that : BSOD=3rd party drivers, IE/Firefox crashes = faulty Java/Shockwave/Flash/PDF plugins…and so on.



1 Comment »

Bruno Kerouanton on septembre 15th 2014 in Blog's life

Ex-libris, et autres sujets

imagesConstatant avec effroi que mon blog est désormais délaissé au profit de médias « rapides et insipides » ne permettant qu’une expression dénuée de style, tels Twitter et autres réseaux sociaux, je vous offre ce petit billet en guise de préambule de la saison 2014-2015 de mon blog. Ne sachant pas si l’envie de narrer en quelques lignes différentes idées ou expériences vécues reviendra, disons que je tente ici une résurrection de mon espace d’expression. Nous verrons bien ce que l’avenir me réservera à ce sujet.

Continue Reading »


Bruno Kerouanton on août 18th 2014 in General

De quoi se mêle t’il, celui-là ?

Un peu de ménage sur mon blog ne fait pas de mal : j’ai retrouvé de vieux billets inachevés. Comme celui-ci.


Hier soir j’ai passé un temps certain sur des sites de rétro-ingénierie, dans le but notamment de préparer quelques épreuves pour le concours Depuis cette nuit, je n’arrive plus à accéder à un site dont j’avais besoin.

Continue Reading »

1 Comment »

Bruno Kerouanton on mai 22nd 2014 in General

Building trust in a connected world

art1I was recently invited as a panelist expert at CIO Forum (the VIP event for selected CIOs within EMC World, Las Vegas), in duo with RSA’s chairman Art Coviello. We were interviewed by CBS News’s famous correspondent Richard Schlesinger.

The topic Art Coviello wanted to talk with me about is « intelligence-driven security », as RSA’s vision is now empowering storage and big-data, to collect as much data as possible from different sources, analyse them and try to detect abnormal digital behaviors, on servers or networks.

I strongly agree that for now, the only realistic way to detect APT is by doing so. All the infosec industry starts realizing that detecting anomalies on a single device such a PC with an antivirus or isolated detection systems isn’t enough against new forms of cybercrime, and that signature-based detection is just becoming unpractical. Even Symanted told publicly a few days ago that the legacy antivirus concept was dead.

Obviously, that kind of data collection and deep-packet inspection means a total loss of privacy as users are being continuously monitored. Thanks to Richard Schlesinger, I was able to develop this important topic, and how IT industry could help to improve privacy while preventing cybercrime.

I quoted the just-released White House report on Big-data and privacy, explaining that even Obama’s governement started realizing it was becoming hazardous to let private companies and the government do big-data analytics on people as they do it now and in the future. The report gives several recommendations (starting p.68) about what to do, and notably by protecting children, preventing discrimination, and extend privacy to non-U.S. citizens, which is a really good step forward (but those are only recommendations for now).

I also explained that the reason all non-U.S. citizens are so angry about U.S. Government and private companies collecting data, is that we (Europeans) do not have the same definiton of Privacy. In the States, and contrarily to popular belief, people do care about privacy, but not the same way as us. In Europe, privacy is about personal data collection. In the US, privacy is about personal data divulgation. Which is totally different, because it means americans do tolerate the data collection and analysis of their data and behavior, but are in the same position as europeans if for any reason this data (or related data) is disclosed against their will.

That explains a lot the reason why so many US projects at Google, Facebook, Apple, and everywhere else don’t really care about the negative impact of data collection and analytics : they focus on IT security to protect that data and the resulting analysis, and keep claiming that they really care about privacy. Which is right at some point, because privacy is -for them- only related to unintended divulgation of personal data. That also explains why strong leaders such as Art Coviello, and his company RSA are pushing forward the intelligence-driven security model : for them, doing so is not directly related to privacy, since data collected is not supposed to be disclosed but only serves at detecting and remediating cyber-risk. Like as in an antispam, that scans emails to detect anomalies, but on a much more larger scale as it embraces the whole Internet. So they really feel doing things rights, and I believe their sincerity on that point, when they say they don’t intend to harm people’s lives, but try to protect them (even if the way to achieve it is not the right one, as the consequences can be dramatic).

So the issue is « only » related to a difference of what privacy is really about.

I used a analogy with people : when you fall in love, your blindly trust your partner. If he or she betrays you, it’s a major desillusion that can definitely harm the relation and could take years to forget (or can never be rebuilt), as trust is destroyed. People fell in love with Internet, so they blindly trust it (the reason they put so much private info everywhere, starting by search engines). So Internet has the moral duty not to betray them as it has a special relationship with everyone of us, as would have any partner we love.


All companies, institutions and governments making the Internet happen should act in accordance with this principle.

I’d suggest a few clues to start moving forward, that may help :

  1. Establish and enforce transparency. Transparency about data collection and usage. Citizens and users should be able to easily get full answers about « What », « How », « When », « How long », « For what purpose ».
  2. Bring a right to be forgotten concept. Citizens and users should be able to opt-in and opt-out whenever they want, without question being asked or unattended consequences.
  3. Protect against discrimination. Big data should help people, not induce negative effects. Citizend and users should be safe that them, their children, and in general everybody’s collected data shall only be used in a respectful way in mind, not only at the time it’s being collected and processed, but also during the whole data lifecycle.
  4. Consider negative long-term consequences. Citizens and users should be safe and confident whenever their data is collected, during their entire life. Any collected data and analysis have to be designed in accordance with the fact that such collected or generated data must be safekeeped at least during the whole life of the individuals (which can be > 100 years).

Those principles are not only to protect personal data, but also to sustain our Digital Economy. We all know how nad were the consequences of the NSA revelations over the US Digital industry. Many people and institutions went reluctent to use services or store data in the States, because most citizens, even in the States, felt betrayed.


The solution is to safekeep trust. I’ve changed my Twitter profile as I now no longer use the term « security » in my description : Building trust is much more powerful for me, as it embraces both security and privacy. Bringing trust to individuals and all Internet users, whether or not they are people or companies or institutions, is having the right balance between security (to protect data) and privacy (to protect people).


Thank you for reading. Spread the word, and feel free link to this page or quote the contents. Because trust matters !

No Comments »

Bruno Kerouanton on mai 7th 2014 in Conferences - Speakings

InsomniHack 2014, l’esprit Hacker

La fameuse conférence sécurité de Suisse Romande, InsomniHack, avec ses ateliers, conférences et concours, approche à grands pas ! C’est la semaine prochaine à Palexpo Genève.

Comme chaque année, j’ai préparé plusieurs petites choses, à commencer par une présentation que j’espère sympathique ! J’avoue avoir donné très peu d’explications sur le sujet de mon interventions, ou plus ou moins des bribes d’information un peu mystérieuses. Cela est volontaire, compte-tenu du sujet, mais je vous livre ici quelques précisions, pour le cas où vous voudriez en savoir plus en avant-première.

Globalement, au fil des années j’ai constaté que la très grande majorité des aspects sécurité reposent sur des bases fondamentales immuables. Que l’on soit au temps des Commodore 64 et des Atari durant les années 80, ou maintenant avec Facebook, la NSA et les Anonymous, rien n’a fondamentalement changé. A l’époque il y avait les mêmes types de soucis, le mythique film « Wargames » est un précurseur mais si on se penche un tant soit peu sur le sujet, rien n’évolue sur les fondements. Je ne dis pas qu’il ne faut pas s’adapter aux évolutions ni se former aux nouvelles attaques et risques, mais disons qu’une fois qu’on a l’esprit « hacker », souvent acquis assez jeune, on garde le pli, et que cet esprit est fondamental pour comprendre les risques et les parades.

L’esprit « hacker », ce n’est *pas* la volonté de pirater, je tiens à le rappeler pour toute personne qui irait mal interpréter mes propos. Non, l’esprit « Hacker », c’est celui d’une personne passionnée, motivée par la curiosité et la découverte, la compréhension. Autrefois, il y a quelques siècles, on appelait ça un inventeur, un scientifique, un savant. Sans cet esprit, une quantité phénomènale de choses qui nous entourent n’existeraient pas. Pour innover, inventer, il faut comprendre, aimer creuser un sujet. C’est tout l’esprit Hacker, au sens le plus noble du terme.

J’en viens à ma présentation que je donnerai la semaine prochaine lors d’InsomniHack. Je ne parlerai pas de sécurité informatique, mais d’esprit Hacker. En vous donnant quelques exemples passionnants de « jeux de piste » réalisés par des passionnés, dans des produits du commerce, et destinés à vous tenir en haleine tout en vous faisant découvrir plein de techniques et d’idées.

Ange Albertini avait il y a quelques années présenté une conférence sur les casse-têtes. J’en ferai de même en version numérique. Et j’espère que cela vous plaira ! Résoudre ce type d’énigmes est bon pour l’esprit hacker. C’est la concrétisation de la volonté de trouver une solution à un problème pas du tout évident, voire contre-intuitif.

J’ai choisi le dernier créneau de la journée pour présenter cela, bonne transition entre les conférences de la journée et le concours qui suit. Et je vous souhaite bonne chance ;)


Bruno Kerouanton on mars 14th 2014 in Conferences - Speakings

Hypnotic desktop wallpaper


This weekend, I was doing some « research » on different visual effects, that led me to focus on optical illusions.

I had the insane idea of putting several of them onto my desktop wallpaper… and I’ve been using this since nearly 3 days.

Trust me, it’s really painful ;) I’ve got to be careful not to be hypnotized each time I move a foreground window, and it’s really disturbing.


If you want to have a try, download it by clicking on the image, and tell me how long you can support it !


No Comments »

Bruno Kerouanton on janvier 20th 2014 in Geek, IT

New malware received : Dossier_1848785.exe

140110-malwareI’ve just received a new malware in one of my spam mailboxes.


The embedded file is a Zip archive, containing a fake PDF (the icon is a PDF, but it’s really a .exe file).

Continue Reading »

No Comments »

Bruno Kerouanton on janvier 10th 2014 in IT Security