Our interview this week is for another big one, in this case Chema Alonso has been the victim of our questions. You have kindly wanted to take the time to answer us exclusively, something that we appreciate knowing your schedule.
I think Chema Alonso, one of our most popular national hackersIt needs no introduction and understand by "hacker" the true meaning of the word. For those who do not know him, you can find out more about him by googling and I encourage you to access his blog, where you will find interesting posts about security. You know Evil-side awaits you. In the meantime, you can read what he has answered us.
Linux Adictos: 1- The first question is obligatory… Pablo Motos, Jordi Évole, Mamen Mendizábal and now me. What happened to you, Chema?
Chema Alonso: I try to serve everyone. Reply to everyone's emails and messages. It is true that I do not give enough. They put me messages on Twitter, Facebook, Google+, Youtube, Instragram, the blog, email, etc., and it is totally impossible for me to find time to answer all of them, but I swear I try. As for journalists, the truth is that I have had to be with some very good in television, but others also very good in the press and in the Internet world. If I make time, I answer the interviews.
LxW: 2-I understand that you have been a Linux teacher and during your career you have worked with Linux distributions. What do you like and what would you like to change about it?
IT: Yes it's correct. I have been a GNU / Linux teacher for many years and have given many RedHat courses - which was the most advanced in the late 90s -. About GNU / Linux I like that you can build many things with these systems, the modularity that exists to do it to your liking, and the amount of tools there are. Distributions with Kali Linux, CentOS, Ubuntu or Debian are examples of how the same core can be adapted to many different environments. I do not like the religion that some profess with free software and the lack of some business management tools and user environments. There I still prefer Microsoft Windows systems or OS X systems.
LxW: 3-As is common, open source arouses sympathy and hatred. Some think that it is of poor quality or that it is more unsafe than the closed one. What would you say to those who think that?
IT: Any of these statements, by itself, is wrong. The important thing is not whether the code is open or closed, but what is done with it. There are very elaborate and worked free software projects, and others that are not. Thinking that a project because it is OpenSource is going to be audited by everyone is not true. You have to do much more than that. Also, no matter how much you have the source code, discovering security bugs is something that may only appear when the code is compiled for a certain architecture and run in a certain environment. That is why Fuzzing techniques are used.
On the other hand, publishing the source code and security updates in Open Source projects, opens a window of opportunity for 0days search engines when it comes to generating exploits before there is a patch that solves it in the distributable binary. We have seen it in many cases. My opinion is that, whether OpenSource or not, what matters is the quality of the software and if we have made the software in our companies for our security, in addition to auditing it well, I prefer that the source code stays at home} :).
LxW: 4-You own 0xWord. I have several titles on your security and I recommend everyone to take a walk around the web. It is a somewhat atypical bookstore, because you give opportunities to new writers who want to publish their book on security or other topics. Free software also offers many opportunities and I think it is vital for education. Don't you think that companies that develop proprietary software should rethink opening their code?
IT: Many already do, but I don't think it should be a majority. Huge amounts of published source code are available today, which is a great learning aid. I believe that a company should open its code in certain circumstances, but I don't think it should be the only way. It may be that a small company opens its free code and then a large company takes advantage of it by improving and exploiting it without the small company being able to compete for it. I think that for a student or a professional making open source programs is a great cover letter, and for companies it can be a way of creating a community and better positioning the product, but it is not the only way.
LxW: 5-And in addition to the previous question. Our blog is geared toward free software and Linux, but we've been writing a lot about Microsoft lately. He has opened some of his projects, some statements have appeared that have surprised us, they launch .NET Core and Visual Studio Code for Linux and it is rumored that open-source Windows is being discussed internally. Would you like to see an open source Windows?
IT: Microsoft already has much of its source open, and is likely to open more in the future. Maybe they will release it open source in the future, but I don't think they will do it shortly - maybe I'm wrong -. To this day, the Windows operating system continues to have a lot of sales compared to its competitors, and in large part it is because of how they do things in the kernel and at the operating system layer. It is a competitive advantage that they want to position to fight against other systems such as Android, iOS or OS X that have other competitive advantages.
LxW: 6-It is behind Eleven Paths, a company on digital security that arises from Informática 64 and Telefónica. This last company, with which you have a relationship, opted for the Firefox OS operating system for mobile devices. What do you think of Firefox OS and what advantages do you see over iOS, Android, Tizen, ...?
IT: Not only do I have a relationship with Telefónica, I also work at Telefónica. The company has long been committed to user freedom of choice and net neutrality. And while some companies talk about net neutrality to create services with equal possibilities, they make their systems less interoperable day by day. Moving your digital life from iOS to Android or from Android to Windows Phone is a pain. They are not interoperable at all. Telefónica's commitment is to support a broader and less closed ecosystem, which is why it opted for Firefox OS and continues to support it. The advantage is that behind it is the Mozilla Foundation creating an ecosystem of Webapps that can run on any system. That is the advantage that the "crazy" Mozilla want to enhance.
LxW: 7-Let's talk now about FOCA. It is wonderful software, but from our point of view it has a bug that has not been corrected. Not available for Linux! We can run it from Wine, have other tools or with MetaShield Analyzer, but we still miss it. There are many tools for pentesting, forensic analysis, etc., for Linux. There are also many distros like Kali, Parrot OS, Santoku, DEFT, and a Largo, etc. Linux is undoubtedly very important in this section. Why have you decided not to carry FOCA?
IT: We never ported FOCA due to lack of resources, now we are thinking of releasing the code in .NET and that people decide if they want to compile it for Linux with the new Microsoft announcement or improve it day by day. You will have to wait a bit.
LxW: 8-NeXT decided to create a Unix operating system, which would later become the germ of Mac OS X when Apple acquired the company. Unix is certainly a great system and Microsoft flirted with it with Xenix. But finally Windows NT (OS / 2) appeared. Do you think that if Windows were a * nix today it would be better?
IT: No, far from it. Microsoft did not "flirt" with UNIX, Microsoft built XENIX that was sold to Santa Cruz Operations, and SCO UNIX became the most widely deployed UNIX in the world. The Windows kernel is a marvel and this is demonstrated by the performance and user experience of the 6.x kernels.
Anyway, to think that the Windows kernel and the UNIX kernel differ greatly ... is a mistake. There's a great lecture by Mark Russinovich called "A Tale of Two Kernels" where he looks at what Windows NT kernels and Linux kernels have, and it's surprising how nearly accurate they are.
In fact, I love a phrase Linux Torvalds said years ago at a conference where he was asked why kernel developers were a community that changed faces so little and incorporated few new people. He said that, in addition to not being the friendliest community, the time for simple solutions to simple problems in creating monolithic kernels is years past.
LxW: 9-I always hear you say that you should use an antivirus. Not only in Windows, but also in other platforms such as Mac OS X. Many say that an antivirus in Linux only serves to slow down the computer. What advice do you give linuxers about this and what antivirus do you recommend?
IT: If the issue is to slow down the system, remove the firewall, the protections of the entire operating system ... and run! } :)
LxW: 10 - And the last one the most difficult of all. Was this the worst interview of your life? ; p
IT: Nooo, far from it. They have come to ask me so much nonsense ... I once told a radio journalist: "Please don't ask me that which is bullshit." There are times that I write them the questions they have to ask me so that I can explain current things correctly. If I counted….
It is a pleasure to have people like Chema Alonso for our series of interviews and that, in addition, in this case brings us good news for the future and that is maybe we have FOCA for GNU / Linux ...
Great job , Linux Adictos :3 greetings.
Well, a lot of people think the opposite of this Telefónica mercenary and faithful follower of the NT kernels, and that is that an open source allows the innovation and evolution of a software, and no matter how little it is audited, it is less prone to 0 -days.
What makes open source less prone to 0days, no matter how poorly audited it may be? And in the same way ... what makes it innovative and allows its evolution if it is poorly audited or generates little interest in the community? reason for your comment.
I imagine it says it because of a 100% that uses open code not even 10% has to analyze the code maybe at home if you analyze it but you only enter that 10%.
Microsoft mercenary, if a case.
That Telefónica is committed to net neutrality? Let him tell his boss, César Alierta, to see how he laughs (alcoholically, of course). From Mr. Alonso one cannot expect too much criticism of his employers; however, it is not difficult to find him bordering on the ridiculous to defend them. With the best security of closed systems, I suppose that he will refer to those of trustworthy companies or entities, not his beloved Microsoft (or Apple, Google or so many others) for whose practices against their clients it has been so often unmasked ( from long before PRISM until now, with the information that Windows 10 sends, whether the client accepts it or if they mark everything that they do not)
You confuse privacy with security holes (failures come on) and in failures IT IS THE ONE THAT HAS THE LESS
It is also a type of security hole, be it intentional, external, etc. but it is.
Chema is the fucking master!
Go fanwin this hack right? XD
Congratulations! very good interview.
Come on, User's comment is a bit old, nowadays not auditing the code led to many vulnerabilities in 2014. Vulnerabilities that were over 20 years old and nobody said anything, many zero Day vulnerabilities that have not been discovered by ethical researchers , they are already in the hands of companies and criminals who sell them to the authorities of each country, there the myth of open source ends
I was at a conference where he presented his FOCA program, and he said that he had given it that name because seals eat penguins xD
I think antivirus is a very poor response, especially for a person who is considered one of the best in security. Putting the firewall consumption at the level of an antivirus is ridiculous, in addition to not having answered the question in a coherent way, such as:
For an ordinary person, the use of an antivirus in Linux can be heavy, and not very effective, however for a company it is an essential security requirement.
seal did not. since the program knew him before he used it. it was already used to figure things out in metadata.