Philippe Humeau

CEO at CrowdSec

March 2021

Philippe makes FOSS and takes our Twitter mic from March 10th to 17th. Thank you, Philippe!

Please tell us about yourself

We are a team of experimented SecOPS. Most of us were part of a pentest (red) team. We did a lot of managed web hosting also in our previous company and some of us also developed Open Source software in the past, like NASXI, Snuffleu Paggus, PHP Malware finder, etc. The team is comprised mostly of “DevSecOps” if this is even a job description. The three founders are from an entrepreneurial background with a strong taste for IT & Security. We just recruited our 11th member, everyone has stakes in the company.

What are you working on right now?

The software is made of two main pillars. One security engine is working on the behavior and the other on the reputation. Basically, the behavior engine protects you locally from aggressive IPs, leaving traces in the logs. Credential stuffing, brute force, credit card stuffing, port scan, web scans, resource abuse, etc. Whatever ends up in the log and could be identified with some pattern. Actually, this covers >90% of all attacks. This one is already very solid and used widely. Once the behavior engine spotted a nefarious activity, it shares the IP involved with the rest of the community (if you want to) but this requires a curation.

This curation process is where we work most actually. It involves a lot of algorithmic work to avoid poisoning (people sending false information), false positive (wrong detections), and attacks with a low signal-to-noise ratio. By this I mean, for example, attacks that would involve several IPs, each having a borderline but yet not aggressive enough behavior to be blocked by the behavior engine.

The second engine, the reputation one, is entirely based on the curated IPs, the one spotted by the behavior engine and curated. You can query the database through very classical API access. Anyone can use it in its context or just use one of our own bouncers to leverage it. (there are some for Iptables, Cloudflare, AWS, GCP, HA Proxy, etc.)

What is most interesting about that?

Well gathering signals is somehow easy. People were looking for the next gen fail2ban and are eager to switch. So we get a lot of signals. But being 99.9999% sure that an IP we tag as aggressive really is dangerous is not so easy. Beyond dealing with attacks like poisoning, we also have to make the system as fair as possible toward people that are indirectly involved. Say you’re in a Starbuck cafe, you use the wifi and can’t connect to a site. Maybe it’s just because the guy next to you just port scanned the website and got banned by our algorithm. You’re not responsible but still get a bad user experience. Not talking about the Starbuck admin that need to clean this. So we are working a lot on making it as seamless and efficient as possible. Blocking the bad guys won’t be so complicated, it’s rather not blocking indirectly people that are not bad actors that is a perk.

There are plenty of previous experiences in this, and not only in IP world (like DNS RBL or AbuseIPDB), but in banks for instance. Where IBAN numbers are getting a reputation to assess whether they are or were involved in strange or potentially illegal transactions. So the super interesting part here is to not reinvent everything but stack on other attempts and think out of the box.

How did you first discover FOSS?

Slackware back in 1995. I’m not sure what I was doing with it but that was sooo exciting. I stopped compiling my own kernel only 20 years later…

This thing was close to impossible to configure properly, but never ever rebooted. I was in my engineering studies by then and we had exotic Unix (MIPS) in our school. To make some projects, they were painfully slow, so having a proper Unix at home made things easier, specifically to learn how to configure and develop C projects.

What prompted you to start contributing to FOSS?

Our previous company had the need for some specific tools. Namely, we built a high security hosting environment. Our CTO was very involved with Open source and the BSD community, our CISO was developing most of our security tools with its team, all of this just made sense.

Many people claimed so, but the team was mostly comprised of pentesters and we had very high exigencies. To properly address modern challenges, we created a “hub” gathering signals from all other security tools. So when Fail2ban, GSec, PAX, our Firewall, our Waf or whatever else was spitting a piece of valuable information, we blocked the IP not only locally but globally on our front firewalls. That worked super well and we started to develop components, that we open-sourced, to complement our existing stack. a WAF (NAXSI) for NGINX was born, Snuffleu Paggus (a PHP7 mod to avoid most XSS & SQL Injection), PHP Malware Finder, etc. We published most of the useful tools we created. On an individual level, pretty much all team members published code, scripts, tutos or even Instructables. Sharing is a mindset, people just don’t get how much richer you get by doing this.

Why should others get involved with FOSS?

When you think that Google even shared (that was a close call though) their main AI tool with the world, you just get how much stronger people sharing can become. Isaac Newton made his most famous statement: “If I have seen further it is by standing on the shoulders of Giants”. This is what FOSS is about. You build above what your peers did before you. By contributing, you make mankind go further. Most of the Internet is powered by Open source technologies. Our fates are linked as a species, and this is true online as well and this numerical link between us all is FOSS. Even Microsoft is embracing this move and including more and more FOSS components. Old school companies, loving the licensed, obfuscated, deprecated models are just reaching their limits… Look a Solarwind would probably never have happened with Open-source based software. Security-wise, this is a sign of trust, of quality, of … respect.

The future belongs to people making FOSS and yes, ten times yes, you can make money doing open source. There are tons of models but as long as you stay faithful to your community and provide great software, for free in most cases, you can align business and FOSS. So this is a career path you can’t go wrong with. DevOPS? SecOPS? Devs? The vast majority of them work with FOSS tools. Kiss the ring or become another Oracle.

How should they get started?

How? Rather when. When they don’t value themselves based on their salary or their comfort based on how much they spend. When money isn’t just yet a question. Teach the kids with FOSS tools. Tell them someone made them for free, for them to learn. Try robot kits, make visual coding, train them in logic and make them develop their own tools. This is what made man what it is, the capacity to create its own tools. Kids are a virgin page where you can write values, and by sharing, they will learn and will want to… share, this will just be natural.

And how? Well with basic visual logic, then through simple languages, but applicable to a personal environment (like a Raspi with Python). Later on, learn a dominant modern language like Go, Rust, JS, etc. and when you’re a grown-up, remember to do your C, this is an invaluable school. Hard but fair, that teaches a lot.

What difficulties and limitations do you see with FOSS?

Some people and businesses still need (but there are fewer nowadays) education. Learn that open doesn’t always mean free, that free means you can contribute, and that if you just use it, it’s okay, you’re not stealing. That FOSS is safer than close code. Technically, we still miss some tools, like good CI online, continuous Security also, etc. but they are coming.

How can they be solved?

Education. Education. Education. By seeing they will learn. People are like Saint Thomas somehow, not so stubborn, just most of the 40+ was born in an age where “close source” was king. They just need an update. Kiddos, Teens, young adults understood because it’s just natural to them.

Where do you see difficulties in contributing?

One needs to understand CI and how Git(Hub|Lab) works. A lot of people are not yet trained and hesitate to contribute because of this limit.

What does a perfect day off look like?

Coffee, a call with a teammate, cleaning small errands so they don’t bounce back later on and … Focus on making my FOSS product known from the greatest number. Telling them “YES it’s free, yes it’s pro-grade and by being a lot, we are stronger. We can defeat hackers, join us”. Late in the day, a teacher from Togo tells me he’s showing it’s student how to secure their IT for free and that he loves it. Explaining that yes, we make money, but no, not on them. Not on contributors, not on people making us strong, just on the one making money on our tech or using it without contributing.

Do you want to tell us something else we didn’t ask?

Well, your job is amongst the most important in FOSS. Education. So keep up the good work!