 Welcome to my talk, and yeah, you're not an idiot, or maybe we're just all idiots. So I'm a reverse engineer for some time, and I'm mostly known maybe for ponies of crypto, polyglots and stuff, and now I've been for a couple of years, infosec engineer at Google, and 13 years of malware analysis. And yes, I leave a reverse engineering and everything, hacking and stuff. This talk, you might see me as successful, you know, Google and Pony, but I kept seeing myself as an idiot until very recently. And yet I'm still the same. So why until now? And why not now anymore? And choose your flavor. The slides are quite generic, but the recording is much more personal. So if you're interested in the details, yeah, probably go watch the recording later. So is it another success speech? Not at all. I'm just not an expert and I'm biased, but I'm here to share and learn. And probably I will say a lot of unpopular opinions, but definitely this is like, I've been feeling an idiot for like 40 something years, 45 years of my life. So first of all, there are many reasons to over worry in infosec and forget about yourself or your friends, which is my experience in infosec in general. Infosec is more than boring. It's exhausting or harmful. There are very repetitive tasks and urgent and uncertainty is exhausting. And there are a lot of people abusing this, but we are always wrong. We know we are the ones preventing projects to launch. I was asked on the morning of holidays if I would prevent a feature of YouTube to be blocked or I analyzed some security feature of Gmail that was taken down later on. It was unfixable. We're easily misunderstood and we're just supposed to have to follow the manual like any other engineers. And we discuss, we are paranoid as in we discuss hypothetical attack that never happened yet. And we publish research that helps other to create more attacks. So we have a very, very bad reputation in general, which doesn't help. And just earlier this week, there was this article that was saying that basically you should never hire someone that comes from a firm that had a security incident previously, which is like very positive and, you know, like very nice for the whole industry. And security doesn't have easy metrics. So in the end, defense is very political. And the pandemic certainly didn't help altogether. So it's easy to feel very bad about all this, but we are a lot more than our work. And it's sometimes hard to remember it. We are a lot more. Our worth is much more than just the work we provide. And all your efforts now in InfoSec are not worth anything if you burn out and live in Forsec or anything or even commit suicide. So my first mistake. So again, I speak about my mistakes that I did in the past. And I will use this acronym. You're not an idiot if it is normal and okay to the red and the green one further. And I will just present what I was thinking wrong in yeah, my whole life. And it started first to be to understand there are different kinds of personality. It's normal and okay to be different. I mean, my people in my family were like super efficient. And I was like super inefficient, but while varying very creative. So there are people who can just read a book and learn it. And I just can't. And for me, I need practice. I need genuine motivation. When I started learning English initially, I hated it because I saw no point in doing so because it's only when I was told that there are other people who speak it and there are other kids you can play with. Then it made sense to me and then I was motivated to do so. But many people don't need that. And it was a big problem for me to understand that. And it was one of my first mistakes. But maybe you had it too. And then there's another problem with school. And again, pretty school provides a unique form of learning while there are plenty of ways of learning. And if you give me just a book and a teacher, I give up instantly because it just doesn't work for me. I need to play around to spin the fidget spinner to, you know, I need to play with files until I can learn the format. If you just give me the specs, it just doesn't work with me. While on the other hand, if you tell me, hey, have fun and then I use it like a toy and then I know it inside out. And the other thing is school taught us that failure is not an option because kids don't know the rules. So we are all born hackers. We just try in any way to do stuff we want to reach the suites in the box. And then eventually the rules are enforced by our family, by school. And now our work is full of the opposite. We just have to fail repeatedly. So not only in general, it's important to fail. It's normal to fail. It's important to overcome that unlike what we were taught at school. But in our work, it's even more important because you just, when you're doing research, infosec research, it's like an external attacker. They keep on experimenting and failing most of the time to just have one success in the end. So this is for the studies part, but once studies are over, well, you're not an idiot if you think your diploma was mostly useless. It's just basically the introduction to the world of job. I mean, that's what I was thinking. I was thinking and I was wondering, why is my diploma so weird? Okay, on the other hand, at my time, there was no infosec diploma. So basically, I just started learning all the things because this was too new. But still, anything you learn now, your diploma eventually is useless or mostly useless, let's say. And one very important topic is that the imposter syndrome, I still have it. I mean, I've been presenting for like 10 years or so. Despite my experience, I'm still worried that including this talk, there's nothing interesting in everything. But just here to stay, just that I am, yourself, if you have the imposter syndrome just means you're self-conscious, it's probably better that you're worried as an expert than being an idiot who's shameless. And the imposter syndrome altogether can kind of be bypassed or ignore or silence, temporarily snoozed by just helping someone. And sometimes you just need to help someone with very little things. You can meet an expert on something and just help them with something they just don't know. Don't assume people know everything because obviously that's wrong. Of course, some people are never satisfied and mansplaining or well, not for me, but arrogance and the Duning-Kruger effect, as I mentioned, and there's also a lot of gatekeeping in Infosec, where people are just going to tell you that you're wrong for using not VI or IDAR or whatever. And this is just so wrong just because if you just do the same thing like any other people, then you just end up doing the same thing. While the hackers, the attackers, they want to find new attacks. Therefore, they need to try new ways to find new results. So don't worry if some people are never satisfied just because you created something new, it's not a problem in yourself. And when you hear why are you writing a disassembler again or anything, no need to reinvent the wheel. It's like, why not? Just be honest and don't present the ideas new. But besides, we still use car bikes, tools, bread, basic mathematics. So we don't claim that everything is new. It's just that it doesn't have to be new. We still live the same way. We mostly live in a lot many ways like we used to 50 years ago. So it's not like it's a problem. And it gives actually more variety to the audience, which is a good thing. So just don't be gatekeeping about someone just writing yet another assemble or anything. Why not? And sometimes just a different style can make things click, like the manga guide of cryptography. It's like, why not? If some people can learn efficiently that way, why isn't that a bad thing? And it can make a difference. And a different style will reach different users. Like I'm collaborating with cryptography, cryptographers. And I definitely don't need to learn the whole thing about crypto because it just kills me. And my cryptographer colleagues definitely needs the whole detail. And my brain is not good enough for them to afford all these details. And I need simplified expression. So it's like, I'm the one who will do the manga guide to cryptography. And it would be useful to me. And you don't need to be gatekeeping about, hey, I'm like, I'm allergic to too much Greek on a single page. So it's really important to remember that. It's helpful to remember that. So it's, it's also normal and okay to feel stuck in the loop because before we were in school and we were at the school was creating differences every year, we go into next year and so on. So it is this feeling of evolution on top of that we are growing like physically, we can tell the difference. It was a normal aspect. It was a normal aspect. But suddenly you're out of your studies and you're out of your, you're in a job and it feels like groundhog day where it's looping over and over. That's actually a good thing. But it doesn't mean that even if you feel like you're going in circle, it just actually you're making slow progress. So take one small step after another. And eventually you reach what you wanted, but of course, don't be in too much a hurry, too much in a hurry. And it's okay if you just want to try something different. And very often when you try something really new, the others will be against it because they were like, why nobody did that? It's totally weird. And what is such an idea? And it's exactly what happened when I initially wanted to write files by hand. I thought it was useful and all my closest friends and colleagues didn't understand because no one was really doing that. And it was seeing as not to benefit and too weird and too a waste of time. And until it has some enough success, then suddenly it was like, wow, that was brand new. And of course, if you have a new idea, an idea is worth nothing if you're not trying it. So if you have an idea not trying it yourself, then yeah, it's probably not even worth trying because no one will try if you don't yourself try. But very important, it's important to not burn yourself trying to be perfect just it's very normal, but bad. It's something I really did to expect too much of myself. Actually, I started having problems with health very shortly after joining Google because I was so enthusiastic and I thought I need to understand everything and goddammit, that's a dangerous idea. And sometimes, yeah, it's better to just have fun or just to lower your expectations and then actually get something done, but not like kill yourself in the process or burn out or run out of energy or anything or, you know, or at least if you don't, I'm telling you it's really important not to. And yes, you are the most important person in all this. So focus on yourself first. Of course, you even if taking breaks and procrastinating may not be maybe a requirement for you, like you have to understand to know that it's a requirement for your body, otherwise your body will break. And it's very important. And sometimes it has nothing to do with work. So it's very important to follow to learn that yourself and to respect that because otherwise you'll face a lot of health problem. And when the health is gone, well, there's no one there's no one left. And yeah, so it's totally normal. If you got it wrong so far, for many reasons, for all the medias are presenting about what we should do. And we believe that other people are just so awesome at it. And I've now known so many colleagues who are just honest and how just taking breaks and everything, while even my own parents would be more like they have to look perfect. And to pretend that everyone is invulnerable, which is just doesn't work. Or at least not with everyone. So it's okay if it doesn't work with you. And yes, make be sure I mean, it's weird because you might be plenty of logic and some and good decisions. But you will meet some people even in your own family who will take the worst decision possible, even against their own interests or their closest friends, just based on fears or traditions or ideologies. And no matter how stupid they are, whether it's sexism, racism, religion, or any kind of habits. And this, it's, it's, it's very sad, but it does happen. So believing command, they won't do that is actually could be a risk because you, even if like the whole team is at risk, then your manager could decide to, to do the worst. And it's something I really learned. If I did, I didn't, I wasn't ready, but it was still important to how can I say, it was, it was, it was have been better if I actually got ready for that to happen. You know, it feels like this kind of thing just happens in movies or whatever in the worst case, but sometimes it really has, it really happens too. For real, like even in your family or in management or in your team or anything. But all this about not being an idiot is not an excuse to have a bad attitude. It's okay to different to be different, but everyone has their limit. So just, you all can also, it's not an excuse not just to be a jerk, basically, and be wary of bad habits because eventually what you say, what you think, what you say becomes habits and then become your character. And then people judge you on that. So be careful of that because some people just now cannot change their character anymore. When it's too late and your past is no excuse, it's okay to be insecure, but not to be a jerk. And yes, I did a feature to Gmail. So it's a funny comic for me. Bo before my greatness, you pitiful humans. Sometimes he's a bit arrogant, but definitely ask me in private, but yes, some Googlers are really arrogant, which is why sometimes it's a bad thing for applying to a company because, well, we had a bad luck with a few Google types of other years. But again, remember that nothing comes easy. Anything takes a long time to master. And if you can still, my rule of thumb is that if you can still count how much you've tried something, like how many days or hours or something you've tried, that's probably not much. If your head hurts just by estimating how long you tried something, then it's probably good. And if you ask, I don't know, Lionel Messi, how much time he kicked the ball? It probably doesn't even make sense to ask the question, right? How many times did I open a file in a Hex editor? I have no idea. I just did it for 20 years. Maybe more, I don't know. Well, yeah, actually 20, 30, I don't know. And face it, if a lot of people ask me, how can I go into infosec and everything? And face it, if after long enough, you never tried, then you were probably never actually interested. I remember when I started in infosec, the cool thing was rootkit and stuff. And in the end, I never took the time to look at it. And if you look at something and you kind of still hate it after some time, be honest and move on to something else, it's okay. And by the way, if you're always doing it wrong, and no matter what, some one person is never satisfied. What if you actually did nothing wrong? Maybe you're just being manipulated, but it's hard to admit, right? Ever heard of gaslighting? It's actually based on the play and you can watch the movie online. And it's very interesting because it's, yeah, basically what started this term. And it's always also introducing some features that you might see in real life from some people. And these people could be relatives, your manager or whatever, your management or your colleague or anyone really. But in more details, there are 30 characteristics of manipulators. And if any of these rings are bad, then maybe it's not you who was wrong, but the person who's doing that. Of course, I don't ask you to read that now, all of them. You can read that later. But really, if any of these rings are bad, it's probably worth reading more on the topic. Manipulators can really be anyone, whether they are in power or they are feeling looking very weak, they can change over time. They can be people who are very nice before and by getting older or anything, or by changing attitudes, it gets worse. And also it's very, sometimes it's very painful, even if you see someone being manipulated, it could be very difficult for that person to acknowledge that they are being manipulated because they are so sad that they're close one or the person they like is actually manipulating them that it can trigger a huge denial. And that's really very important. And what can you do against a manipulator? Well, first keep your distance and preserve yourself. A therapy may be impossible to undergo because how can you get to therapy if authorities can be fooled and there's no proof, like it's only private conversations and so on. So really, I met many, I mean, different, several manipulators in my management or in my family. And really, it's not necessarily easy. And sometimes there's just no fix. And be aware of those eager to help you because in many cases, the people who can want to help you, they just want to help you in some ways, like comforting you or saying, oh, my poor one, but actually not really helping you. And they just ignore your needs, but they just help you in the way they accept to do so and not not maybe actually helpful ways. And if you think, but I want to fight back, I don't want to run away and everything, then you might lose yourself in a fair and endless fight because this person's the manipulator, it's part of the nature to do that. So it's their full agenda to do so. And it's probably in the end better to be free, even without this person that you may like before, than burning yourself out in vain. And when you realize that your second life begins when you only have one, then you start to accept that your life could be without this person. I'm not sure if it makes sense. Let me know if you have any questions, but definitely, initially, you want your life before back and you want the love or the respect or the reputation back. But in the end, you could burn yourself out and eventually you realize that your future is in another direction. So maybe despite all these examples, we are still somehow idiots. But the question is not whether we're idiots or not. The question is like, why should we care? Because we all worry about this only because we can worry about this. It's a question of time and priority. What do I mean with that? So in January, I suddenly became a single father of three boys aged from nine to 15. And basically, I'm beyond busy because I'm the one permanently providing food and advice for school and also working and everything. And suddenly, I have absolutely no time, what do neighbors think about me? I have very like, suddenly, I really stopped giving a fuck. Not because I was agnostic or I mean, not the other was apathic, but just because I couldn't, I just don't have the time. So very easily, I mean, very easily. I have to ignore a lot more than I used to because my kids, the future of my kids depend on that. And when you're in such a situation, you're actually much lighter because you just don't have the time to care about this. And the reason why I don't feel like an idiot anymore is that no matter what, whether I'm an idiot or not, I am their future. I am the future of my kids. And this is why I just have to take decision and do them and implement them. And whether they were not the optimal decision or not, it's not like someone else is going to fill in the role and do it for me. So this was also very important for me to realize that it feels like endless tunnel. And this is actually right. There's no end to your channel because you're the light. It's not like this situation is going to stop. It's just that in your delight, I am the light for my kids, but you are the light for other people in your team, in your friends, in your families, whether you realize it or not. And I didn't realize it until I was like faced with the situation. So I'm not sure you need such a situation yourself. But now myself doubt, I have no time for that. And the need for external validation. Sometimes I ask for advice, but I cannot afford wasting time for that just because my life is just so busy. And if you don't want, feel free to come and help me just a day or if you survive. Because it's like really, and yeah, another thing is like, I don't know what's worse, the men who just tell me they take care of a house because they touch a sponge in the last month or the women who just tell me I cannot manage because only women can. So it's a very funny situation that you get a lot of gatekeeping in both situations. Anyway, so that's why I'm not, that's why I realized that we only care about this and we feel like an idiot because we have, we can give it priority high enough to care and we have the time to care about that. So it's important to learn to prioritize to realize that some people just don't deserve your time. And you don't control the action, but you control your response. So this is another way to save your health. And another thing is that if you're considering to commit suicide, because I did, there are only, I'm not an expert in that situation, but maybe and more than you think people care about you and they will be in pain. And for me, I started being violent against myself like it wasn't, it was a slow suicide or something. And I thought my kids didn't care. And it's when my own child started to mimic me and hurt himself the way I was doing that suddenly I realized that he cared much more than I ever thought. And I'm glad I could see that before dying. And on top of that his pain, seeing his pain was much more painful to me than my own pain, because I saw my pain as the last pain before the freedom. So what I'm not obviously the best expert, but from my personal experience, I'm glad I could realize that people care more about me than I thought. And they will be in pain. And their pain would be much more than mine, because again, committing suicide itself was not the hard part. I mean, it was like my last path, my last step to freedom. So maybe it's a bit gloomy, but yeah, that's my life. And yes, COVID certainly didn't help. So maybe we're all idiots. But in the end, why should you care? Why should we care? Because in the end, if you care about being worrying about this, it's probably because you can give it priority high enough, or you have the time for that. And hopefully, you went through similar experiences. And you may not be the only idiot. And hopefully one of my experiences maybe you think, hey, I'm not the only one. Maybe it's time to tackle it in a different way. So thanks for your attention and take care of yourself.