Pantharax Cybersecurity enthusiast

To embark on projects

Whether to progress technically or intellectually, or to build a portfolio, projects allow us to open our minds. Unfortunately, we don’t all have the same creative mind! When some people can easily imagine projects to do, others will go round and round wondering what may be interesting to do. I belong to this second category.

The choice of the subject

Every project starts with a need. This need can be yours or come from an observation you made. It’s always easier to start from a need because it will guide your choices and your thinking. If you find that you lack a tool in your environment, you can imagine developing it. Unfortunately, if you are alone, this project may take time and energy. Well, nothing is impossible, look at Mark Zuckerberg, he managed to develop the first stages of a social network all by itself.

In reality, you can embark on a project even if there is no need. Let’s illustrate my remarks with a concrete example: I developed a Python client for Troy Hunt’s HaveIBeenPwned API. There was no need behind because there are already dozens of Python clients for this API. Nevertheless, a project can allow you to challenge yourself. In this case, this mini-development project allowed me to discover Python libraries.

For those who don’t have imagination like me, you can look for project ideas on forums or elsewhere, talking with other people. Your acquaintances that is not InfoSec, or IT in a wider field, will probably have needs that you don’t have but you can try to help them.

Challenge yourself

In addition to a need, a project must allow you to progress on a field. You must challenge yourself, get out of your comfort zone. So in the beginning, I agree, it will be difficult to start. If you want to progress on a domain, you will have to force yourself to test new things, to apply principles or technologies. This can be testing an existing PoC (Proof of Concept), or the use of a new library. Maybe even by trying technologies that you didn’t know, the idea of assembling them in a project will be born.

To say yourself that you will not succeed will not make you progress. The human is afraid of the unknown but it’s necessary to overcome this fear to go further.

Assess yourself

When you start a project, it’s important to make regular points to assess your work but especially to note the points where you progressed as well as those where you failed. Take the opportunity to write down helpful references, websites, books, or anything else that has helped you.

The idea is to follow your roadmap and enrich it as your project progresses. Moreover, it’s quite possible that ideas come to you once your project is launched! This roadmap will be the basis of your project and you will rely on it to write the documentation of your project and to explain it in your portfolio.

Thank you for reading me! I hope that my english isn’t so bad.

Introduction to privacy

Privacy you said?

Well, talking about privacy may take a long time but I thought it was interesting to tell you what I think. It may not be very organized, I write it as I think, it’s just an introduction after all.

Before arriving at the usual speeches of “We must use Linux” or “We must ban Facebook”, we will try to understand how are manipulated our data on the Internet.

Social networks

We will start quietly (or not) by social networks and the use they have of our data.

The use of data

You have to be honest with yourself, as soon as you register on a social network, you provide a significant amount of personal information, only to access the service.

Once registered, you’ll “Like”, “Share”, interact with content. Unfortunately, this content may not have been suggested to you by a friend but by an advertiser.

An advertiser is an advertising company that pays the social network (in our case) to advertise. But to be profitable, the company have to target ads for a given audience because it is the best way to have potential customers. However, to target an audience, you have to know it, and for that, you need the social network give some information about you.

This is where the question of privacy comes in: what are you willing to give, in term of data, to the social network so that it can sell them to advertisers? Unfortunately, we usually do not let you the choice … Profile, photos, friends list, age, place of residence, hobbies,… Everything is good to create a profile you looking like the maximum. Advertisers then create user profiles and sway their ads based on which profile you are closest to.

This is how we see scandals like the one involving Facebook and Cambridge Analytica, but it’s far from being an isolated case! Keep in mind that if a service is free, you are the product! This is not true all the time and it may even be true for a paid service!

A little social engineering?

I will be very brief on this subject because I am far from mastering it but it is quite simple to do social engineering thanks to the data you publish on social networks (or even on your personal blog). To say it simply, anything you say can be used against you at any time from the moment it’s public. So do not put too much sensitive information about yourself or about your company in your publications. I recently read an article published on the blog of MalwareBytes about the use of data on LinkedIn, and we quickly realize what you can do with a simple Google search (with Google’s APIs particularly). It’s still quite simple to use Open Source Intelligence (OSINT) to gather information about a “target”.

The e-commerce

A quick enough topic to address, the use of cookies on merchant sites. Although you are told, because it is mandatory, that cookies are used to “improve your user experience”, they serve above all to draw you on the Internet and allow you to suggest specific products. Thus, when you go to a merchant site and you visit the page of a product, the site records what you do by saving it in the so famous cookies. Let’s say now that you do not buy this product and go to another site … Your favorite social network, for example. You will then be likely to see an ad in which the product you just consulted will be visible, as by chance!

Small digression: a small camera

By deviating a bit from other examples but remaining in the topic of privacy, we could approach the topic of surveillance cameras or even your webcam, well integrated in your laptop. Yes, the little camera that looks at you all the day! Just say it right away that it can be activated without your knowledge even if the small light which indicates its activity is switched off. Said like that, we laugh less. So put a cache in front of the webcam, anything will suffice. Maybe it will prevent you from being blackmailed one day because someone will have a video of you, naked, strolling in front of your laptop. Same thing for surveillance cameras … Put one in your home to make sure no one gets into your pretty house, that’s a good idea, except when you do not configure access to this famous camera. Indeed, allowing access to your camera from the Internet and without a password, or with those by default (which amounts to the same), can turn against you. Let me explain: imagine that a burglar realizes that your home is empty because he had access to your own surveillance cameras, he will be able to go and steal some business quietly. A small site to image my words: Insecam Personally, I find it scary.

To conclude, pay attention to what you share or publish, remember to empty your cookies from time to time to avoid being tracked but do not fall into paranoia. Do you say that everything you post on the Internet (social network or not) will never be forgotten by the servers that hosted it.

And finally, never say, “Anyway, I have nothing to hide.” or “My data does not interest anyone.” Everyone has something to hide, that’s how it is, the principle of privacy. Otherwise, your house would be open to all passers-by in the street! And yes, your data interest many companies because they are worth the money!

Why InfoSec?

It can be an interesting question… Actually, when I started to study computer science, I had no special interest for InfoSec! I was not particularly attentive to the world of the security but, because of I was always asked for troubleshooting friends’ computers, I began to learn the basics of what is computer’s security.

The event that changed my way to think

Well, go back to 2014! I got a phone call of someone who had its computer infected by a ransomware… Well, you know the story! I thought it was so unfair and that’s why I decided to jump into this wonderful world. It’s not so easy to begin, especially when you don’t know where to begin! Information Security is a huge field, very interesting.

Manage the time

When you begin in a new area (and when you’re passionate), you always want to learn new things. The new challenge is to manage your time, particularly when you’re a student and your teachers ask your for doing your homeworks.

And now…

I discovered a school which is specialized in cyberdefense. Moreover, in this school, I’ve the advantage to be in apprenticeship. I chose a position in a french company which is specialized in retail and I work under the responsibility of the CISO. Now, I’ve to wait to be graduated (there is about a year left) and to have my diploma to be Engineer.

What can I say? I’m very happy to be a member of this wonderful community. I began to do technical stuff thanks to the Root-Me and NewbieContest platforms. I’m always looking for learning new stuff, technical or not.

Thank you for reading me, have a nice day!

Introduction

Welcome to my blog!

WHOAMI

To introduce myself quickly (you have a better description here), I’ll say I’m student in cyberdefense who wants to learn and share. I discovered computers when I was a child, that’s why I decided to study computer science when I was 17. I’m graduated of a two-years technical degree in computer science, and now I’m studying cyberdefense to grab the title of Engineer in Cyberdefense.

What you’ll find here

With this blog, I want to share with you what I know, even if it isn’t very technical. I’m currently interested by Reverse Engineering and scripting for automation tools, that’s why I’ll try to explain what I do.

I always thought it was important to share its knowledge when we have the ability to do it.

What you’ll probably not find here

I’m an occasional CTF player, therefore you’ll not find write ups or anything related to CTF. In rare cases, if I play to a CTF, I’ll try to explain what I did.

Thank you for reading me!

Feel free to email me (contact[at]maximebatard[.]fr) if you encounter issues or if I make a typing error.

Never stop learning!