• Who are you / Who is Gynvael?
  • An enthusiast programmer with a passion for computer security and low-level concepts of IT. Author of the book “Zrozumieć Programowanie” [Understand Programming], Editor-in-Chief and creator of the experimental magazine Paged Out!, as well as the author of numerous articles, publications, podcasts, and conference talks devoted to the above-mentioned topics. In 2013 in Las Vegas (together with Mateusz Jurczyk) received the Pwnie Award in the category “The most innovative scientific research” in the field of computer security. Co-founder and former captain of Dragon Sector team, one of the best Capture The Flag teams in the world. Chairman of the Program Board of the Security PWNing conference. Since 2010 lives in Zurich, where he works for Google as Technical Lead / Manager in a security engineering team.

    Switzerland in a nutshell - view of mountains / lakes.
  • Where do you live?
  • In a small town in the Canton of Zurich in Switzerland.

  • How old are you?
  • 37

  • Where did/do you work?
  • During my university years, I have worked for one of Polish anti-virus companies (ArcaBit). After a year, I went on to work at a Spanish company Hispasec (known for, among other things, VirusTotal), and after three more years, I have moved on to Google, where I have been working for the past 10 years.

  • At what positions have you worked/are you working?
  • Always mixed/combined/multiclass. At ArcaBit, it was programmer / reverse-engineer, at Hispasec – security researcher / pentester / malware analyst / programmer (true full-stack: drivers, desktop apps, web app backend/frontend, and even a mobile application) / local manager / or even furniture assembler :). At Google, the official position is Software Engineer + Tech Lead / Manager in one of many security teams (and in practice, the above-mentioned roles were joined by, e.g. electronics as well as many other things).

  • What are you doing now?
  • Apart from work (see above), I stream on YouTube twice a week (Wednesdays in English, Thursdays in Polish), I also oversee the creation of the Paged Out! magazine, and help a little with the Programista and Programista Junior magazines. Aside from that, if I have time (what unfortunately is a rare occurrence), I partake in CTFs with the Dragon Sector team. I am also a member of the Program Board of two Polish conferences – PWNing and CONFidence.

  • What's your streaming setup?
    • Software side: OBS Studio + Browser Source plugin with a set of custom overlays (HTML/CSS + art) and quite a lot of JavaScript connected to a Python mini-backend, which in turn is connected to an external question panel also in Python, and that's connected to a couple of chat bots - yeah, it got kinda complex on the way. There's also a custom OBS Studio plugin to play the intro animation. And VB-CABLE virtual audio device for some audio routing.
    • Hardware side: a bunch of Logitech HD Pro Webcam C920/C930 webcams, Blue Yeti Pro microphone, and a Game Capture HD60 Pro HDMI capture card (which I've used like... once). That, plus 4 LCDs (1 for the livestreamed desktop, 1 for OBS Studio / YouTube preview, 1 for chats and 1 for various control panels - music, questions, etc).
  • Hardware:
  • Software (what do you think, are you using any, if yes – why):
    • Zooming / drawing on the screen
    • SysInternals / Microsoft ZoomIt

    • OS (Linux vs Windows vs macOS) and why Windows?
    • PC/Laptop: Windows as main desktop OS + Ubuntu Server on a VM.
      Servers/VPSs: Ubuntu Server.
      Why? Personal preferences :)

    • Why don't you use WSL/WSL2 instead of Ubuntu Server on a VM?
    • Mainly because my setup is older than WSL/WSL2 and I don't have yet a good reason to migrate. Also, WSL didn't support some Linux kernel features I've been using (e.g. various filesystem support).

    • Why do you have Linux windows next to the Windows ones in the streams?
    • I have quite a unique configuration, which combines some of the advantages of Windows and Linux. More about that can be read here: https://docs.google.com/document/d/1bq3lXdB2G4Mr2xVSxGdx6icleV7bfWbDUQUOuXzftTY/edit?usp=sharing

    • Disassembler/Decompiler
    • Mostly IDA, although sometimes I use Binary Ninja and Ghidra. Additionally, ndisasm (part of NASM) and Capstone.

    • Transparent proxy (burp/zap/mimtproxy)
    • Fiddler and a whole lot of ad hoc scripts in Python.

    • Antivirus
    • None. There are some disadvantages to using AVs in some cases, i.e. they increase the attack surface (see e.g. the classic Sophail research by Tavis Ormandy).

    • Full disk encryption, bitlocker, veracrypt, truecrypt (hehe), LVM
    • Yes. Different things on different computers. Sometimes also additional encryption of specific folders / files

    • Pwntools?
    • I don’t use pwntools for two reasons:
      1. I have my own mini-framework that I use (which also has about 1% of pwntools features, but that’s enough for me).
      2. Anytime I try to use pwntools, something’s not working :(

  • What programming languages do you know?
  • I most often work with Python, C/C++, JavaScript, and Assembler x86. Apart from that, in years past, I have more or less written in many other languages like PHP, Perl, Java, Turbo Pascal, different variants of BASIC, or more specialized ones such as mIRC Script or eScript. I happened to also write few-hundred-line long scripts in batch (.bat) and Bash (not sure I should admit that though).

  • Which languages do you not know?
  • I practically know no functional languages. I also did not play neither with Rust (although it is on the to-do list) nor C#. And I played with some only for a very short time (e.g. Go lang). There are many other languages I never touched, but these ones I'm most frequently asked about.

  • How long have you been programming?
  • I began my adventure with programming when I was 6.

  • What was your first programming language?
  • Atari BASIC <3

  • What certificates do you have? What do you think about certificates (OSCP, CISSP, CEH)?
  • I don’t have any certificates and in my particular field, I don’t feel the need to have any (from my limited experience, certificates are neutral, that is they do not help to get work and they don’t hinder that either). YMMV.
    From my perspective, they are useful in two cases:
    1. If you want to start work in companies/institutions that require such certificates or in companies who perform services for such companies/institutions.
    2. If you want to have a certificate or use obtaining the certificate as a source of motivation for learning.
    In such cases, I highly recommend obtaining the certificates you dream of :)

  • What do you think about this programming language:
    • Golang
    • I only played with Go after it came out – I wrote a simple raytracer (https://gynvael.coldwind.pl/?id=249) and that’s how my adventure with that language ended. It seemed, however, a nicer alternative to C in some applications (and definitively safer).

    • C++
    • A language with many traps and pitfalls. One of my favorite programming languages, but to write safely in it, you practically need to have a doctorate in it. Two very good sources of knowledge about the language:
      Specs: https://isocpp.org/files/papers/N4860.pdf
      C++ Core Guidelines: https://github.com/isocpp/CppCoreGuidelines

    • Python
    • The default implementation is slow (VM without JIT + GIL), but it works well for threads of the I/O bound type. Additionally, a vast collection of easy to install libraries, clear and very convenient and expressive syntax as well as its popularity in security/hacking makes it one of my favorite languages.

    • JavaScript
    • It is currently a very popular language which was created purely organically in the world of the browsers over many years, hence, many weird design decisions can be found in it. I personally like JS but... it is a language that has been through a lot and it requires patience as well as love from the programmer.

    • Rust
    • Rust is on my to-do list but I have not reached it yet :(

    • nim
    • I have no idea what this is – foxtrot put it here, so it’s all his fault.

    • Haskell
    • I know nothing about functional languages :(

    • Java
    • Generally a fast and safe language, only very verbose/wordy. I've written more in Java back in the days, but currently I basically only read Java code (without writing any).

    • C#
    • I have written almost nothing in C# – at most I happened to debug or read some code. It looks OK.

    • Ruby
    • When Python meets Perl. I've mostly played with Ruby on CTFs, so I don't know too much about it.

  • Is it worth to go to a university if you want to work in IT?
  • Short answer: If you are not working in IT at the time of deciding if to go to a university, then I encourage you to go to a university – at the very least to have more time for developing/honing your skills on your own.

  • Is it better to choose full-time or part-time studies?
  • I have no opinion on that – both types have their advantages and disadvantages.

  • I'm already X years old - can I still learn programming/hacking/etc?
  • Yes. There two mundane things you'll need to consider though:
    Will you be able to dedicate enough time during the day to learn it? Programming and hacking take A LOT of time to master.
    Will you be able to survive for a junior's salary? After you transition to programming it will take time to reach regular/senior/staff positions.
    Apart from that I'll just add that it might be easier for older folks to learn programming than for children, as the older we are the easier it gets to grasp abstract concepts (note: this is little more than my shower thoughts).

  • How to begin the adventure with hacking?
  • https://www.youtube.com/watch?v=9I5RAWGWj7I

  • How to begin the adventure with RE?
  • https://gynvael.coldwind.pl/?lang=en&id=664

  • How to find bugs/vulnerabilities in software?
  • https://gynvael.coldwind.pl/?id=659

  • Recommended books:
    • IT
    • https://gynvael.coldwind.pl/?id=427
      And an overview of my library:

    • Non-IT
    • David Weber - series about Honor Harrington (military sci-fi)
      Anne Bishop - The Black Jewels series (dark fantasy)
      Jim Butcher - The Dresden Files series (urban fantasy)
      Michał Cholewa - Algorytmy Wojny series (military sci-fi; not sure if this one is available in English though)
      Mercedes Lackey – any books in the series about the Valdemar kingdom / Velgarth world (fantasy)

Powered By: Gynvael Coldwind