Monday, July 27, 2009

31337 Spotlight: Andre Gironda

The most beautiful thing about the hacking or Information Security community is the diversity of opinion. If you ask 2 different people, you're likely to get 2 different answers. Nowhere is that more apparent than with the character I have for you folks today... one Andre "dre" Gironda. The first time I met Andre was on a mailing list and subsequent blog post where I was flamed for my views on Web App Sec... and while I tend not to take things personally this "encounter" was one of the things that's made me work harder to evangelize the realities of Web App Security, and security in general. Andre gave me a healthy dose of his logic... and while we've had our disagreements I think he's come a long way in the last year or so... and while I've not met the guy in person - I do aim to... to see if he really is a really, really, really nice guy. [For the record, using Jim Manico as a character reference? hrmm.... I'm joking Jim!]

Andre's always full of fire-brewed opinions, unique logic and sometimes a flare for the dramatic... and while we don't always agree - I think he's someone that doesn't get enough credit for the contributions he's made to the industry. This is "dre"... in his own words...
  • Andre - tell us something about yourself
My name is Andre Gironda, though some might know me by the handle "dre", as in "Dr. Dre" or "Mac Dre" or perhaps even "Andre Nickatina". I write for the tssci-security.com blog. I give talks usually at places like Toorcon or local OWASP chapter meetings. I don't support big events like BlackHat, Defcon, or even OWASP AppSec because I feel lost in the crowd and it always feel like I never learn anything or meet any nice people. I promote myself as a very vendor/product neutral industry analyst and information security management/risk management adviser. I dislike commercial products. I even dislike most open-source projects. Sometimes I prefer pencils and paper. My cell phone doesn't accept text messages and has a data rate of less than 10Kbps. I use a 6 year old X series Thinkpad, which is my most expensive
possession. I'm ghetto, yo.
  • What types of technologies do you focus your 'hacking' on (and why)?
I'm a generalist. Because of my involvement with OWASP, I tend to focus a lot on web applications, perhaps ones in the payment industry space. In the 90s, I used to break networks and force revisions of CatOS and IOS, as well as discover VLAN leakage and major architectural issues such as the lack of route filters at major peering locations and esoteric DoS/DDoS issues. I have been a proponent of technology innovations such as Optical Ethernet, Virtual Infrastructures, and Service-Oriented Architectures. I used to fling acronyms like CPT (which we all know probably stands for Compton), but now I'm all about ALM (which you'll have to figure out on your own).

I like the idea of hacking people and process. I like the idea that I can use my hacking skills for good and cause organizational change through discovery of
organizational management and behavior. A real "hack" to me is to take a disfunctional organization and turn it into something awesome. I lay the
smackdown on some fools, know what I'm saying?
  • What your most famous/proud accomplishment over the course of your career?
Mentoring. I like adult educational theory and learning. I'm a horrible presenter (be sure to check out videos of me from Toorcon 9, Shmoocon 2008, or most recently at Toorcamp), but I'm a good teacher over the Internet, one-on-one, or in small groups. I'm like Michelle Pfeiffer in "Dangerous Minds".
My hubris is that I'm a bullshit-detector and a skeptic. This causes me to appear as if I'm fighting with other analysts or infosec professionals. For me, this is old hat -- hacker groups used to fight (i.e. red/blue team) each other on systems and networks. Obscenities would occur. People's landline phones, public service utilities, garbage delivery services, and other "too close to home" comforts that we take for granted were suddenly snapped away (or changed in some hilarious way) based on online hacker wars. This was all in good fun back then. When you met the guy that you 0wned in person -- you bought him a beer and it was all good. Maybe you pissed in his office trashcan later that same day, but usually it was from too much drinking and not the forlorn bitterness. I miss bringing bottles of OE to vendor events and fancy dinner parties. I'm going to pour a whole 40 into the ground at the nearest park once I leave work today for all of my missed homies.
  • What got you started in Information Security...
I knew a bunch about Unix systems and network technologies such as bridges, T1/DS3/SONET/BLSR/UPSR hierarchy, the "old kind of terminal servers" with modem pools and manual dialed-number hunt-groups, as well as higher-layer Internetworking. Then I logged into this BBS called UPT, ran by Tom Jackiewicz and Lane Davis. I started using Satan, PGP, SSH, and S/Key more and more often instead of occasionally. Then I got a job. Bling bling.
  • Tell us something that people rarely know about you?
I'm a really, really, really nice person -- "in-person". Ask Jim Manico from the OWASP Podcast. We finally met in-person two weeks ago, and it's been fun working with him on the Podcast News. It was great to have you on there as well... you'll have to join us in our roundtable news segments. Shout outs to my peeps.
  • BONUS: What was your first computer system?

I clearly remember a Magnavox Odyssey² as the first piece of hardware to bring home and play with in 1979. My favorite computer of all time is one I still own: a Sun SPARCstation IPX with the Weitek 90mhz write-back cache processor (instead of pipeline burst), the memory extension board, and the SBus memory expansion card (bringing it to a total of 128MB of memory). I even have the microphone, laser mouse and pad, as well as the purple "L" to put it on its side. There's some sort of crazy framebuffer SBus card in the other slot with just as much video memory. Sun4c was clearly my favorite computer platform of all time. Respect.

No comments:

Google+