Judicaël is a pentester and researcher

I became interested in IT in college in the early 1980s. I had an interest in all things technical, and then I came across a book that talked about computers and computer programming. I spent quite a bit of time with friends who had computers, which allowed me to start programming in BASIC language. Santa Claus brought the first computer in my family in 1986: a TO7/70. Finally, at the beginning of my Higher School Preparatory Classes, my parents bought a PC. The bill, including the printer, was around FRF 20,000 (more than four months of the French minimum wage at that time). I programmed it in Pascal but also a little bit in C and C++. Two years later, I was admitted to the École Normale Supérieure. At the time, I wanted to be a math researcher. I only saw computer science as a technology, certainly exciting, but not necessarily very deep. I was lucky enough to have passionate teachers and discovered that it was a science: not only could you understand how computers worked by following a reason-based approach, but computer science was much more than that, had its issues and was not just a utilitarian discipline for others. This eventually led me to move from a Master’s degree in Mathematics to a DEA in Computer Science. 

I wanted to do research and to do that, I had to start with a thesis (which gives the doctoral degree). 

My parents were both math teachers. I was stimulated by the conversations they could have with each other as well as by the different math books I could get my hands on. Once I got my master’s degree, it was quite natural for me to sit for the Agrégation de Mathématiques, and I took advantage of my first year of the thesis to do so. 

Actually, my career actually began as early as the thesis years: this is when I began not only to do research but also to teach. This was a discovery. From teaching, I was more aware of the downsides: my parents blaming their students’ mistakes by correcting their papers in the evening or on weekends, for example. I discovered the pleasure and richness of the human relationship, especially in difficult times, when students need encouragement and support because they are faced with academic or personal difficulties. I also loved to see them progress and to experience the satisfaction of being able to communicate about my passion.  

The idea of being able to exchange secret messages with a friend that only the two of us can understand is something that makes us dream from childhood. And I think it was these childhood dreams that attracted me to this rich and demanding field; I started with the conviction that I already knew a lot about cryptography… and I came out of it with the conviction that I didn’t know much! A researcher in cryptography must have at least a good knowledge of algebra and probability in mathematics, as well as a good understanding of the notion of complexity class in computer science. 

Research has a playful and addictive side. You get caught up in the game. I think that in the end, it’s quite close to the philosophy of a pentester: an expert who performs an intrusion test gives himself a challenge (to get into a system, to retrieve as much information as possible) but doesn’t know which approach will work. The objective will be refined and evolve throughout the mission. It’s the same in research: you give yourself a general objective and try to see how to achieve it. Sometimes, when what one has envisioned succeeds easily… it’s almost boring. Sometimes, there are unknown obstacles that spice things up… or even are discouraging! You tell yourself then that you will see later if something unblocks and you try to explore another track while waiting. Sometimes those which we explore seem all closed, until all of a sudden… eureka! You find a good angle of attack and you exploit it. And, in this case, the satisfaction felt is equal to the difficulty! 

I have taught math and computer science to students in these classes, on the one hand to students in biology, chemistry, physics, and earth sciences and on the other hand to mathematics and physics students. For me, the strong point of this experience is the pleasure of teaching. For example, a student who, after passing her exams wrote to me: “Thanks to you, I discovered this year that mathematics is not just a utilitarian subject“. I also remember a student who, despite constant hard work, could not keep up with the pace and whom we redirected to slower-paced classes; six months later, he wrote us that he was first in his class. As for the minus: the prep programs change little from one year to the next. I like newness, so I’ve nurtured the desire to change after a few years. What’s more, in my opinion, the program and schedules were not ambitious enough concerning today’s computer science challenges (but that should improve a bit with the 2021 reform). 

On the one hand, I work on the classical missions of ethical hackers, mainly external intrusion tests, code audits, application architecture audits and I give training. On the other hand, a little more than half of my time is dedicated to R&D. 

This is decided with my manager, depending on the missions. When I’m not on a mission, I take advantage of the time I have to do research. Usually, an assignment takes a week or more, continuously. The R&D time is therefore split logically into one or a few successive weeks.  

Even if it’s a bit complicated with the health situation, I work as a team with my pentesters colleagues, either formally (when there are several of us on the same mission), or informally: if you work alone on a mission, you can ask your colleagues for tips. When I say “we ask”, most often I am the one asking: since I have only been at Orange Cyberdefense for one year, I still have a lot to discover. As for the research part, my work is more solitary daily but I have exchanges with members of my team in Lyon who work on R&D-type issues, as well as with members of other Ethical Hacking teams in France… and hopefully soon internationally. 

I like discovering new things (almost every day), the good understanding and exchanges with colleagues, and the feeling of contributing to a safer world. 

”Free” is about computer freedom (think “free speech”, not “free beer”), i.e. free software provides you four essential rights: 

• To run it as you want

• To study how it is made (including accessing its source code) and adapt it to your needs 

• To redistribute copies of the program 

• To improve it and to distribute your improvements to the community

Free software is also called “open source software”. 

In cybersecurity, a good security architecture must be robust enough to withstand attackers, even if they know all the technical mechanisms that are implemented. In other words, security must be based on the secrecy of the passwords and cryptographic keys used and not on the secrecy of the design or implementation of the system. This is a fundamental principle of cryptography, identified as early as the 19th century, which now bears the name of the person who enunciated it: the Kerckoffs principle. 

Open-source software is particularly interesting as it is software whose source code you can read. It does not guarantee per se that it is secure, but it allows you to check whether it is secure. In contrast, some companies are sometimes blocked by one of their software providers, who refuse to let them audit the code of the software, even though that software is critical to their business. 

The first thing is to be curious and passionate! Then, I advise all those who want to work in computer science to acquire a solid foundation in mathematics and theoretical computer science: even if neither is required, theoretical training gives extremely powerful tools that help you quickly understand a new field and will let you tackle tomorrow’s problems. And in any case, read a lot to find out what questions others ask themselves and how they answer them! 

If you want to know more about pentesting, click here.