Contents

Interview of Gregory Gille - CEO of GEOIDE

Interview of Gregory Gille - CEO of GEOIDE

/assets/images/posts/gregory_picture.jpg

Gregory Gille @1-vek, co-founder of Hyvilo and CEO of GEOIDE, Sponsor Specialist of Root-Me. Find out more about his career and his story with Root-Me!

Introduction / Presentation

Please tell us about yourself and what you’re doing at the moment

I’m Gregory Gille, founder of GEOIDE and sponsor of Root-Me. GEOIDE was created in 2015. It specializes in network protection equipments like firewalls, industrial gateways and data diodes. We work for companies operating in highly constrained environments or with a high level of security like the military sector and essential operators like nuclear power plants or hospitals. Since 2020 I’ve also been the co-founder of another company, Hyvilo, which provides an augmented management platform for local authorities and large corporations. We enable them to make all their internal procedures and tools operational without friction.

What brought you to cybersecurity ?

It’s been my passion since I was very young. In fact, as a teenager I almost fell into cybercrime - on the wrong side of the tracks. The subject is always a bit borderline… I stayed on the right side of the line by doing the right studies and quickly moving into professional positions in the army, in the special forces in particular, which gave me the opportunity to combine passion and profession.

Can you tell us about your education background ?

I started by studying to be a developer, i.e. a programmer. Then another challenger who was taking evening classes inspired me to go back to school. I did quite a few studies at the CNAM because I needed to complement my knowledge, and so I went on to study for 4/5 years there. The advantage of the CNAM is that it enabled me to acquire quite a few diplomas in about ten years in various fields: databases, development, networks, etc. There, I was able to combine practice with challenges on the one hand, to get to the heart of the matter, and on the other hand to confront the theory, to understand and go a little further.

What areas are you particularly passionate about ?

In the cyber world, I enjoy a little bit of everything but obviously what I’m most passionate about is the world of networks since that’s what I do. I also like exotic protocols. It’s in this area that our products excel for industry, the military, etc. Making a firewall that will filter FTP is frankly not very interesting but when you start to take an interest in the protocols used by radars, fighter planes, submarines, railways and subways and think about how to protect them, it becomes a real challenge and it’s really exciting !

Aside from that, I have a guilty pleasure that I discovered with the challenges: cryptanalysis. But it’s more of a hobby. It’s quite rare to have to use it in my job. I have developed a few cryptosystems because I needed them for certain projects. Sometimes there’s no room for cryptosystems that are too wordy and generate too much data. For example, if you want to send data by satellite you need a high level of security but you don’t have a lot of bytes available. That’s an interesting challenge ! I also have a small career as a part-time teacher in a private school, and crypto is one of the courses I teach along with C, Cisco, networks and databases.

Cyber Experience

What were your main challenges in learning this profession? What do you feel you can now do better with experience ?

I like this question because it’s quite divisive - even within my own company. As the saying goes, “If you don’t have any enemies, it means you don’t count”. A lot of people wouldn’t agree with that but I think we prove it by the facts in our business. Our competitors are really big structures and their vision is totally different from ours. In my opinion they fall into the same mistake: they don’t look at the problem fully.

At school we learn that we have to divide a problem into smaller ones, and that’s certainly useful in certain fields, but when it comes to cybersecurity the problem needs to be seen as a whole. This is one of the mistakes I made when I was a very young developer. More than 25 years ago I was working in a team developing the early stages of a firewall, and we only focused on isolated problems. We had a set of specifications and everyone had their reasons for doing what they were doing but as a whole the firewall was riddled with flaws and wasn’t operational. Each project manager in his sub-project was still right and had his best solution. It’s like trying to secure a cabin in the forest. The window expert is going to put in anti-intrusion windows, the door expert is going to put in an armored door, the alarm expert is going to put in the best alarm in his catalog,… but still they haven’t looked at the big picture: it’s a cabin in the forest with no electricity and there’s no point in putting an armored door on a wooden cabin. Perhaps the best solution was simply a guard dog.

In such cases, everyone is right in their own way but more generally everyone is wrong. And that’s probably the biggest problem in cybersecurity: everyone thinks they’re right. Those who make EDRs are sure they’ve got the right solution, those who make probes are sure they’ve got the right solution, those who make firewalls are sure they’ve got it also,… and in the end no one takes the problem as a whole. There’s a few players that do but they only provide advice. In fact, it’s the integrators who see the problem as a whole. Each expert will be right in his or her own field but if the question is flawed from the outset we’re heading for disaster.

Another thing I do better with experience is to understand which strategy to implement. For example, with my product strategy I can anticipate the wow effect that our products will trigger. My creating two start-ups taught me one thing – it’s a constant battle. And in a battle, finishing second means losing. Seeking the wow effect means quickly finding the true value of your product - where it will really have an impact. This implies looking at the problem from a wider angle than others. There are areas in which we excel such as multi-level defense, where we bring together things that are not at the same level of classification. We shouldn’t be looking at what the ideal protocol would be, but rather find how the systems could exchange. You have to look at things from above and think about how you can convince homologators that your system is better than the others'.

That’s what I’m better at today - I’m able to pinpoint things more quickly. I certainly wasn’t able to do that when I was a young developer just starting out.

What do you like about your job?

What I like about this job is that it suits my personality. It’s a world of challenges. Nothing is taken for granted, and from one day to the next everything can fall apart. Skills and knowledge are constantly being challenged. In cybersecurity, you can’t fall asleep - if you do for 6 months, you’re dead. Not all professions are like this. When you make yoghurts, for example, you can say that you’ve been using the same recipe since 1852; it works well, it reassures people. When you make a firewall and say it’s been the same code since 1850, it won’t reassure anyone. In our field you have to constantly reshuffle the deck and that’s what really drives us forward. Personally, I wouldn’t have liked a job where every morning I knew in advance what I was going to do, repeating the same processes over and over again. Cybersecurity people aren’t made for those dull jobs. Now I understand that some people may find these jobs reassuring. I guess we’re all different and I’m glad my job isn’t for everyone.

What do you see as the most important safety challenge today, and how do you plan to contribute to it?

I think the thing that scares everybody the most is the post-quantum era. I have friends and partners who are involved in quantum computing. Cybersecurity could partly collapse because of advances in the quantum world. This is the biggest security challenge. What will happen to our services? Will they become inoperable? And what will happen if we are not careful enough when we set them up ?

There’s the example of Estonia, who was attacked by the Russians and who really suffered from their lack of cybersecurity at the time. I don’t think we fully appreciate the danger that this type of attack represents today. How long could we live without electricity? What would we do if the banking system collapsed? We can live without a TV, we can live without the Internet, but for how long?

There’s another threat I have to mention. It is of a more military aspect: imagine the Russians and the Chinese joining forces. In such case we’d probably have 80% of the world’s best hackers on the same side forming real armies paid by governments. What would the rest of the world do in the face of such threat? Are we ready to take up the challenge against them?

I deal with these issues on a daily basis because my products are designed to counter attacks from such groups. It’s a driving force and my whole team does its best to ensure that these things won’t happen. I’m aware of the threats but I’m one of those who believe we can do it and who take action. As a matter of fact, we also co-founded the Cyber Campus to show that we are believers and that we will keep on moving forward.

I am pretty optimistic. Twenty years ago we were considered losers. In France, nobody talked about cybersecurity and passwords didn’t really exist. The archetype was the pimply computer scientist relegated to a small windowless office. Fortunately, we’ve managed to make the leap and show that it was important. Everything changed when the financial stakes were raised, when the attackers started asking for money. That’s when people started to take the subject seriously. Nowadays everyone is starting to be mindful of cybersecurity even if there’s still a lack of security education in some companies.

Your relation with Root-Me ?

How has Root-Me helped you along the way ?

In fact, Root-Me came towards the end of my training. I practiced mainly on Newbie Contest and HackBBS for the French platforms, and of course on foreign platforms too. If you have my username you can check out We Chall on https://www.wechall.net to find my ranking on all platforms. I’m on about fifteen of them. Or rather I was because now I don’t really do challenges any more as I have much less time. When Root-Me came along I was working on my idea of setting up a company. I was starting to industrialize my prototypes so that my codes could become real products.

In the beginning, Root-Me was like an indicator to me. When I started recruiting young people, they’d start putting their username or their ranking on their CV and that gave me a scale, a bit like a rating. It still does. I generally look at where they are in the ranking in relation to me, and if they’re above that means they’ve got something valuable to contribute. Above all, I can see what challenges they’ve taken on. If someone comes to me and has done all the network challenges I think he’s credible. If, on the other hand, he’s done all the stegano challenges and wants to work on firewalls I have more doubts. So Root-Me has been serving me as a reference point, a cursor for building my team.

Apart from that, I’ve learned a lot on Root-Me. Compared to other platforms which tend to offer challenges in the form of games or puzzles, Root-Me mainly offers very operational challenges. You don’t have to spend 3 weeks or a month trying to figure out where you’re going. In the case of the realistic challenges nothing is explained, but all the useful resources are provided to allow you to focus on the objective.

The real moment of enjoyment is when you finally exploit the vulnerability, it is not when you find the first step to take. Training yourself to go as fast as possible shapes the way you think and it helps you when you’re building your own systems.

I’ve also learned about code proofreading. Every coder thinks they’ve done the perfect code but in fact you must have it proofread by your colleagues and sometimes even by code proofreading experts. We have products that are certified by the ANSSI and we’re not ashamed to show our source code to evaluators. If all the cyber players weren’t afraid of being proofread instead of hiding things under the carpet, we would all be better off. During the evaluation, the worst that could happen is that a flaw is discovered and we’ll all learn something! I’ve partly learnt this advantage thanks to Root-Me.

This platform has also introduced me to a lot of interesting things like for example cracking Android phones or a Gameboy. Cracking a Gameboy is a good introduction to hacking industrial control systems. It’s not a PC and it gives you a different perspective.

Which challenge category(ies) do you prefer and why ?

I’m very fond of cryptanalysis as you’ve probably already guessed, even though I know this will make some of you laugh. I’m passionate about everything to do with RSA and asymmetry in general. I’ve tried to explain to my crypto students the Chinese Remainder Theorem. It allows us to crack an encrypted message for several recipients. It’s a vulnerability. I love these kinds of challenges but in everyday life we don’t actually do anything with them.

Network challenges are the ones I’m best at but they’re not the ones I prefer.

The realistic challenges are pretty cool because they represent a part of my work today. I’m thinking of a machine in particular where we have a VoIP system. It is a good representation of what we’re dealing with with our customers who have telephone and industrial systems. I’m a little less passionate when it’s just a web server.

What aspects of Root-Me do you particularly enjoy (ctfallday, Discord, quizzes,etc) ?

It is a CTF on a VoIP virtual machine, called Vuln VoIP I think. I was familiar with it but I wasn’t really an expert. Beyond that, every challenge is a success for me. I could name many that I’m not so good at: crack-me, app-systems,… but it’s really a victory every time I succeed. I know that on crack-me there are younger people who are much better than me. It’s a generational thing. There are languages I am not so familiar with. If it’s not done in C++, I find it harder.

What does the Root-Me community offer you ?

I like being on Root-Me to relax, and maybe that’s not the right word because it’s very stressful when you can’t complete a challenge! But at the same time, it’s when you’re stuck that it gets exciting !

For me Root-Me has 2 facets:

It’s a vector of relaxation. When I need to take my mind off things I resume some uncompleted challenges. (I’ve still got plenty on the go and at some point I’ll complete them all). It’s also a good indicator in my line of work. When we became a sponsor of Root-Me, the transition from challenger to sponsor was a bit complex for me. The decision was still an easy one because we share the same values and it made sense to play a part in ensuring Root-Me continues to thrive. Not so long ago, people would have said that Root-me was a pimply geek thing with no value. Today, things have changed. There isn’t a single IT school that doesn’t know about Root-Me and that believes it’s just a gaming platform. It’s really an educational tool. Being a sponsor also enables us to be identified by certain profiles since our logo appears on the platform.

This was the case with a young person who recently applied to work with us. During his interview he told us he had learned about us through the platform. Root-Me has become a benchmark: people who are on Root-Me are already on the right side of the line, and there’s little chance of them crossing over to the other side.

Tips

In your opinion, what are the main qualities needed for this job ?

You have to like challenges and be comfortable questioning things. You can’t take anything for granted, and you have to be fairly humble in the face of the enemy. Cybersecurity is a rather special environment. You can’t be afraid to fail and you need to have a challenger’s mindset. If you don’t want to win the World Cup you won’t be happy in cybersecurity.

What technical tips or tricks would you like to share with our readers ?

First of all, you can’t learn to code by coding 7 hours a day. To succeed in this sector, you have to live on code and fresh water. When you’re 20, it’s 20 hours of coding a day.

In fact, the more you code, the more you learn best practices, the more challenges you take on, the more expert you become. If you start early, by the age of 25 you can already have a highly developed level of expertise. In my opinion, you have to become an expert very quickly, and then you can build your career from there. There’s a big difference between starting out as a cyber beginner or as an expert.

In my companies, there are young people who are heads of business units at under 30 because they’ve got the passion, they’ve got the qualities and, above all, because they coded a huge lot. And that’s the best trick of all: you have to code, code and code.

What’s the most important piece of advice you’d like to share with other cybersecurity professionals ?

We’re all competitors but we’re all partners too. We each have a piece of the answer, but together we have the complete answer. Being at the Campus Cyber gives me the opportunity to talk to a lot of companies in the sector. I recently had the chance to talk to YesWeHack and Quarkslab, for example, and I love these exchanges because everyone has a different vision. The more we talk, the more we realize that everyone has a piece of the solution, and that together we can solve the whole problem. We’re all indispensable elements of the global security. Unlike the big industrialists who think they have THE solution and try to impose their standards and solutions… They’re wrong. We really need to be aware of this. The Campus Cyber is at least right on this: it’s by federating that we’ll get the best results.

What’s your favorite cybersecurity quote and why ?

I’ve got two.

Obviously, the first one is from Root-Me: “La root est longue mais la voie est libre”. It pretty well sums up my thinking on cybersecurity.

Another quote I quite often use is: “Hacker vaillant rien d’impossible” – To valiant hackers nothing’s impossible.

Sometimes the system just doesn’t work. Maybe you have to bypass the basic system security to really secure it, find the right info, know why or know how. Most of our competitors are wondering how we do it, and while they’re asking themselves these questions, we’re moving forward and producing V2, V3 and so on. This quote is extremely important to me. It is the driving force behind the company because the moment people think it’s impossible, there’s a breach for action. We solve seemingly impossible problems. And that’s the heart of cybersecurity, as well as the raison d’être of GEOIDE and Hyvilo. The idea is that if we were doing the same thing as everyone else, why would anyone choose us? We’d be doing the same thing, and maybe not quite as well as our competitors. So, either we succeed and break the market or we do nothing. That’s the spirit of “Hacker vaillant rien d’impossible”. It’s about going where no one else dares to go.

What are your ambitions for the future ?

Following on from what I’ve just said, we recently identified an area that’s putting a bit of pressure on us and we want to get into it. We can’t go alone though. We’re looking for partners. We have to go with big players. We’ve noticed that in the world of railways in general (tramways, metros, TGV trains) cybersecurity is almost non-existent. In fact, there is no cybersecurity leader in this field. There is one Israeli company that stands out, Cylus, but what they offer is a kind of probe that detects the fire but doesn’t put it out. This doesn’t solve the problem, and the phrase “knowing there’s a fire doesn’t put it out” is our way of thinking.

We’re here to counter the problem right from the start. What our customers need is not either an alarm system or a fire department. They need both. We want to become a leader in the rail sector because we’ve noticed that no one is taking the subject seriously. We want to go in with military technologies that have already proved their worth. We’ll be working with a major industrial company like EGIS or SIEMENS, which is already a major player in the rail sector and could be a good partner in this area.


To learn more on GEOIDE and Hyvilo :